Skip to content

Commit

Permalink
Update apparmor profiles
Browse files Browse the repository at this point in the history
  • Loading branch information
@skolekonov
skolekonov committed Sep 17, 2018
1 parent cfb5e53 commit 5b29f87
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
2 changes: 1 addition & 1 deletion deploy/apparmor/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ an [apparmor](https://gitlab.com/apparmor/apparmor/wikis/home) enabled environme

* install the profiles located in this directory into the corresponding directory (/etc/apparmor.d/ if you use Debian or its derivatives)
```bash
sudo install -m 0644 libvirt virtlet vms -t /etc/apparmor.d/
sudo install -m 0644 libvirtd virtlet vms -t /etc/apparmor.d/
```
* apply them by
* restarting the apparmor service
Expand Down
16 changes: 15 additions & 1 deletion deploy/apparmor/virtlet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,26 +12,37 @@ profile virtlet flags=(attach_disconnected) {
capability net_raw,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet raw,
network inet6 raw,

/ r,
/bin/sleep ix,
/etc/ethertypes r,
/etc/cni/net.d/ r,
/etc/cni/net.d/* r,
/etc/kubernetes/kubelet.kubeconfig r,
/etc/kubernetes/ssl/* r,
/etc/virtlet/images/ r,
/etc/virtlet/images/** r,
/{usr/,}bin/genisoimage rix,
/{usr/,}bin/socat rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/nsenter rix,
/{usr/,}bin/qemu-img rix,
/{usr/,}sbin/ebtables rix,
/{usr/,}sbin/brctl rix,
/opt/cni/bin/bridge rix,
/opt/cni/bin/calico* rix,
/opt/cni/bin/flannel rix,
/opt/cni/bin/genie rix,
/opt/cni/bin/host-local rix,
/usr{/local,}/bin/virtlet mrix,
/usr{/local,}/lib/lib{virt,guest}*.so* rm,
/var/lib/cni/networks/* r,
/var/lib/etcd/*.pem r,
/var/lib/calico/nodename r,
/var/lib/docker/overlay2/** r,
/var/lib/libvirt/virtd* ixr,
/var/lib/libvirt/*.sock rw,
/var/lib/virtlet/** rwk,
Expand All @@ -47,10 +58,13 @@ profile virtlet flags=(attach_disconnected) {
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/conf/cali*/* w,
@{PROC}/sys/net/ipv4/neigh/cali*/* w,
@{PROC}/sys/net/ipv4/ip_forward w,

/run/flannel/* r,
/run/libvirt/libvirt-sock rw,
/run/virtlet.sock rw,
/run/netns/ r,
/run/virtlet-diag.sock rw,
/run/netns/ rw,
/run/netns/* rw,

/sys/class/net/ r,
Expand Down
2 changes: 1 addition & 1 deletion deploy/apparmor/vms
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#include <tunables/global>

profile vms {
profile vms flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>

ptrace trace peer=@{profile_name},
Expand Down

0 comments on commit 5b29f87

Please sign in to comment.