From d8449de55e49b71a4e953a36bc0624cb2d6b4770 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Jul 2022 14:24:09 +0100 Subject: [PATCH] feat(profiles): add and merge some cni profiles. --- apparmor.d/groups/virt/cni-bandwidth | 15 +++++++++------ apparmor.d/groups/virt/cni-bridge | 18 ++++++++++++++++++ apparmor.d/groups/virt/cni-firewall | 18 ++++++++++++++++++ apparmor.d/groups/virt/cni-loopback | 6 +++--- apparmor.d/groups/virt/cni-portmap | 6 +++--- apparmor.d/groups/virt/cni-tuning | 18 ++++++++++++++++++ 6 files changed, 69 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/groups/virt/cni-bridge create mode 100644 apparmor.d/groups/virt/cni-firewall create mode 100644 apparmor.d/groups/virt/cni-tuning diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index c477581d..a19504b8 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -6,16 +6,19 @@ abi , include -@{exec_path} = /opt/cni/bin/bandwidth -profile bandwidth @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/bandwidth /opt/cni/bin/bandwidth +profile cni-bandwidth @{exec_path} { include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, @{exec_path} mr, - network inet, - network netlink raw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge new file mode 100644 index 00000000..e2a3a76f --- /dev/null +++ b/apparmor.d/groups/virt/cni-bridge @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/bridge /opt/cni/bin/bridge +profile cni-bridge @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall new file mode 100644 index 00000000..729329e5 --- /dev/null +++ b/apparmor.d/groups/virt/cni-firewall @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/firewall /opt/cni/bin/firewall +profile cni-firewall @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index e1389f93..7e618fe6 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /opt/cni/bin/loopback -profile loopback @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/loopback /opt/cni/bin/loopback +profile cni-loopback @{exec_path} { include @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 8d768844..38fec593 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -6,13 +6,13 @@ abi , include -@{exec_path} = /opt/cni/bin/portmap -profile portmap @{exec_path} { +@{exec_path} = /{usr/,}lib/cni/portmap /opt/cni/bin/portmap +profile cni-portmap @{exec_path} { include @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists + include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning new file mode 100644 index 00000000..dc14dfa4 --- /dev/null +++ b/apparmor.d/groups/virt/cni-tuning @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cni/tuning /opt/cni/bin/tuning +profile cni-tuning @{exec_path} { + include + + @{exec_path} mr, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file