# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/containerd
@{att} = /att/containerd/
profile containerd /{,usr/}bin/containerd  flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability chown,
  capability dac_read_search,
  capability dac_override,
  capability fsetid,
  capability fowner,
  capability mknod,
  capability net_admin,
  capability setfcap,
  capability sys_admin,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
  mount -> /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
  mount -> /tmp/ctd-volume@{int}/,
  mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},

  umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/@{hex}/shm/,
  umount /var/lib/containerd/tmpmounts/containerd-mount@{int}/,
  umount /tmp/ctd-volume@{int}/,
  umount @{run}/netns/cni-@{uuid},

  signal (receive) set=term peer={dockerd,k3s},
  signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico},

  @{exec_path} mr,

  @{sbin}/apparmor_parser         rpx,
  @{bin}/containerd-shim-runc-v2  rpx,
  @{bin}/kmod                     rpx,
  @{bin}/unpigz                  rpux,
  /{usr/,}{local/,}{s,}bin/zfs    rpx,

  / r,

  /opt/cni/bin/loopback  rpx,
  /opt/cni/bin/portmap   rpx,
  /opt/cni/bin/bandwidth rpx,
  /opt/cni/bin/calico    rpx,

  /etc/calico/ rw,
  /etc/cni/ rw,
  /etc/cni/{,**} r,
  /etc/cni/net.d/ rw,
  /etc/containerd/*.toml r,

  /opt/containerd/{,**} rw,

  /var/lib/cni/{,**/} w,
  /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
  /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
  /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
  /var/lib/containerd/{,**} rwlk,
  /var/lib/docker/containerd/{,**} rwk,
  /var/lib/kubelet/seccomp/{,**} r,
  /var/lib/security-profiles-operator/{,**} r,

  /var/log/pods/**/@{int}.log{,*} w,

  @{run}/calico/ w,
  @{run}/containerd/{,**} rwk,
  @{run}/docker/containerd/{,**} rwk,
  @{run}/netns/ w,
  @{run}/netns/cni-@{uuid} rw,
  @{run}/nri/ w,
  @{run}/nri/nri.sock rw,
  @{run}/systemd/notify w,

  /tmp/cri-containerd.apparmor.d@{int} rwl,
  /tmp/ctd-volume@{int}/{,**} rw,

  @{sys}/fs/cgroup/kubepods/** r,
  @{sys}/kernel/security/apparmor/profiles r,
  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pid}/task/@{tid}/mountinfo r,
        @{PROC}/@{pid}/task/@{tid}/ns/net rw,
        @{PROC}/sys/net/core/somaxconn r,
  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/uid_map r,

  /dev/bsg/ r,
  /dev/bus/ r,
  /dev/char/ r,
  /dev/cpu/ r,
  /dev/cpu/@{int}/ r,
  /dev/dma_heap/ r,
  /dev/dri/ r,
  /dev/dri/by-path/ r,
  /dev/hugepages/ r,
  /dev/input/ r,
  /dev/input/by-id/ r,
  /dev/input/by-path/ r,
  /dev/net/ r,
  /dev/snd/ r,
  /dev/snd/by-path/ r,
  /dev/vfio/ r,

  include if exists <local/containerd>
}

# vim:syntax=apparmor
