diff options
Diffstat (limited to 'contrib/apparmor')
| -rw-r--r-- | contrib/apparmor/abstractions/passt | 5 | ||||
| -rw-r--r-- | contrib/apparmor/abstractions/pasta | 5 | ||||
| -rw-r--r-- | contrib/apparmor/usr.bin.passt | 9 | ||||
| -rw-r--r-- | contrib/apparmor/usr.bin.pasta | 12 |
4 files changed, 22 insertions, 9 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt index 6bb25e0..43fd63f 100644 --- a/contrib/apparmor/abstractions/passt +++ b/contrib/apparmor/abstractions/passt @@ -26,13 +26,16 @@ capability sys_ptrace, / r, # isolate_prefork(), isolation.c - mount options=(rw, runbindable) /, + mount options=(rw, runbindable) -> /, + mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", owner @{PROC}/@{pid}/uid_map r, # conf_ugid() + @{PROC}/sys/net/ipv4/ip_local_port_range r, # fwd_probe_ephemeral() + network netlink raw, # nl_sock_init_do(), netlink.c network inet stream, # tcp.c diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta index a890391..9f73bee 100644 --- a/contrib/apparmor/abstractions/pasta +++ b/contrib/apparmor/abstractions/pasta @@ -27,8 +27,9 @@ @{PROC}/@{pid}/net/udp r, @{PROC}/@{pid}/net/udp6 r, - @{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c + @{run}/user/@{uid}/** rw, # pasta_open_ns() + @{PROC}/[0-9]*/ns/ r, # pasta_netns_quit_init(), @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(), @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns() @@ -42,3 +43,5 @@ /{usr/,}bin/** Ux, /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c + + ptrace r, # pasta_open_ns() diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt index 564f82f..9568189 100644 --- a/contrib/apparmor/usr.bin.passt +++ b/contrib/apparmor/usr.bin.passt @@ -19,9 +19,12 @@ profile passt /usr/bin/passt{,.avx2} { include <abstractions/passt> # Alternatively: include <abstractions/user-tmp> - owner /tmp/** w, # tap_sock_unix_init(), pcap(), - # write_pidfile(), + owner /tmp/** w, # tap_sock_unix_open(), + # tap_sock_unix_init(), pcap(), + # pidfile_open(), + # pidfile_write(), # logfile_init() - owner @{HOME}/** w, # pcap(), write_pidfile() + owner @{HOME}/** w, # pcap(), pidfile_open(), + # pidfile_write() } diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta index e5ee4df..2483968 100644 --- a/contrib/apparmor/usr.bin.pasta +++ b/contrib/apparmor/usr.bin.pasta @@ -19,9 +19,13 @@ profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) { include <abstractions/pasta> # Alternatively: include <abstractions/user-tmp> - owner /tmp/** w, # tap_sock_unix_init(), pcap(), - # write_pidfile(), - # logfile_init() + /tmp/** rw, # tap_sock_unix_open(), + # tap_sock_unix_init(), pcap(), + # pidfile_open(), + # pidfile_write(), + # logfile_init(), + # pasta_open_ns() - owner @{HOME}/** w, # pcap(), write_pidfile() + owner @{HOME}/** w, # pcap(), pidfile_open(), + # pidfile_write() } |