diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2022-11-14 23:56:52 +0100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2022-11-16 15:11:07 +0100 |
| commit | fb7b71b86f5591cc4bf83fcf4081634f4c2980aa (patch) | |
| tree | 5edd8777337d2e3e1ca0baea7c851afbcb3a75f0 /contrib/apparmor/usr.bin.pasta | |
| parent | b6400db3a642d1960516a748262045d1364d92c1 (diff) | |
| download | passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar.gz passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar.bz2 passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar.lz passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar.xz passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.tar.zst passt-fb7b71b86f5591cc4bf83fcf4081634f4c2980aa.zip | |
contrib/apparmor: Merge pasta and passt profiles, update rules
AppArmor resolves executable links before profile attachment rules
are evaluated, so, as long as pasta is installed as a link to passt,
there's no way to differentiate the two cases. Merge the two profiles
and leave a TODO note behind, explaining two possible ways forward.
Update the rules so that passt and pasta are actually usable, once
the profile is installed. Most required changes are related to
isolation and sandboxing features.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/apparmor/usr.bin.pasta')
| -rw-r--r-- | contrib/apparmor/usr.bin.pasta | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta deleted file mode 100644 index 844fcf3..0000000 --- a/contrib/apparmor/usr.bin.pasta +++ /dev/null @@ -1,66 +0,0 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later -# -# PASTA - Pack A Subtle Tap Abstraction -# for network namespace/tap device mode -# -# contrib/apparmor/usr.bin.pasta - AppArmor profile example/template for pasta -# -# Copyright (c) 2022 Red Hat GmbH -# Author: Stefano Brivio <sbrivio@redhat.com> - -abi <abi/3.0>, - -include <tunables/global> - -/usr/bin/pasta flags=(attach_disconnected) { - include <abstractions/base> # Interactive shell - include <abstractions/nameservice> - include <abstractions/consoles> - include <abstractions/bash> - owner /proc/**/ns/user r, - / r, - capability sys_ptrace, # bash - capability dac_read_search, - capability dac_override, - @{etc_ro}/** r, - /usr/** r, - /lib/** r, - owner @{HOME}/** rw, - owner /tmp/** rw, - - /proc/*/net/tcp r, # procfs_scan_listen(), util.c - /proc/*/net/tcp6 r, - /proc/*/net/udp r, - /proc/*/net/udp6 r, - - /dev/net/tun rw, # tap_ns_tun(), tap.c - - capability net_admin, # for network namespace only - capability setpcap, # drop_caps(), util.c - capability sys_admin, # sandbox(), passt.c - - mount "" -> "/", # sandbox(), passt.c - mount "" -> "/tmp/", - pivot_root "/tmp/" -> "/tmp/", - umount "/", - - network netlink raw, # netlink.c - - network inet stream, # tcp.c - network inet6 stream, - - network inet dgram, # udp.c - network inet6 dgram, - - network unix stream, # tap.c - - network unix dgram, # __openlog(), util.c - - owner /proc/*/gid_map w, # pasta_setup_ns() - owner /proc/*/setgroups w, - owner /proc/*/uid_map w, - owner /proc/sys/net/ipv4/ping_group_range w, - /{usr/,}bin/** mrix, # spawning shell - - /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c -} |