github.com/mirantis/virtlet@v1.5.2-0.20191204181327-1659b8a48e9b/deploy/apparmor/virtlet

github.com/mirantis/virtlet@v1.5.2-0.20191204181327-1659b8a48e9b/deploy/apparmor/virtlet (about)

     1  #include <tunables/global>
     2  
     3  profile virtlet flags=(attach_disconnected) {
     4    #include <abstractions/base>
     5    #include <abstractions/libvirt-qemu>
     6    #include <abstractions/nameservice>
     7  
     8    allow mount,
     9    allow umount,
    10    allow ptrace (read,trace) peer="unconfined",
    11    capability net_admin,
    12    capability net_raw,
    13    capability sys_admin,
    14    capability sys_chroot,
    15    capability sys_ptrace,
    16    network inet raw,
    17    network inet6 raw,
    18  
    19    / r,
    20    /bin/sleep ix,
    21    /etc/ethertypes r,
    22    /etc/cni/net.d/ r,
    23    /etc/cni/net.d/* r,
    24    /etc/kubernetes/kubelet.kubeconfig r,
    25    /etc/kubernetes/ssl/* r,
    26    /etc/virtlet/images/ r,
    27    /etc/virtlet/images/** r,
    28    /{usr/,}bin/genisoimage rix,
    29    /{usr/,}bin/socat rix,
    30    /{usr/,}bin/ip rix,
    31    /{usr/,}bin/nsenter rix,
    32    /{usr/,}bin/qemu-img rix,
    33    /{usr/,}sbin/ebtables rix,
    34    /{usr/,}sbin/brctl rix,
    35    /opt/cni/bin/bridge rix,
    36    /opt/cni/bin/calico* rix,
    37    /opt/cni/bin/flannel rix,
    38    /opt/cni/bin/genie rix,
    39    /opt/cni/bin/host-local rix,
    40    /usr{/local,}/bin/virtlet mrix,
    41    /usr{/local,}/lib/lib{virt,guest}*.so* rm,
    42    /var/lib/cni/networks/* r,
    43    /var/lib/etcd/*.pem r,
    44    /var/lib/calico/nodename r,
    45    /var/lib/docker/overlay2/** r,
    46    /var/lib/libvirt/virtd* ixr,
    47    /var/lib/libvirt/*.sock rw,
    48    /var/lib/virtlet/** rwk,
    49    /var/lib/kubelet/pods/** rw,
    50    /var/log/pods/** rw,
    51    /{var/,}tmp/{,**} rw,
    52  
    53    @{PROC}/@{pid}/net/psched r,
    54    @{PROC}/@{pid}/net/ipv6_route r,
    55    @{PROC}/@{pid}/status r,
    56    @{PROC}/@{pid}/environ r,
    57    @{PROC}/sys/kernel/hostname r,
    58    @{PROC}/sys/net/core/somaxconn r,
    59    @{PROC}/sys/net/ipv4/conf/cali*/* w,
    60    @{PROC}/sys/net/ipv4/neigh/cali*/* w,
    61    @{PROC}/sys/net/ipv4/ip_forward w,
    62  
    63    /run/flannel/* r,
    64    /run/libvirt/libvirt-sock rw,
    65    /run/virtlet.sock rw,
    66    /run/virtlet-diag.sock rw,
    67    /run/netns/ rw,
    68    /run/netns/* rw,
    69  
    70    /sys/class/net/ r,
    71    /sys/devices/pci*/*/*/ r,
    72    /sys/devices/pci*/*/*/* r,
    73    /sys/devices/virtual/net/br*/bridge/ageing_time rw,
    74    /sys/bus/pci/devices/ r,
    75    /sys/bus/pci/devices/*/driver/unbind w,
    76  
    77    /start.sh r,
    78  }