Update apparmor profiles #765
Conversation
deploy/apparmor/virtlet
Outdated
| @@ -29,9 +33,12 @@ profile virtlet flags=(attach_disconnected) { | |||
| /{usr/,}sbin/ebtables rix, | |||
| /{usr/,}sbin/brctl rix, | |||
| /opt/cni/bin/calico* rix, | |||
| /opt/cni/bin/genie rix, | |||
There was a problem hiding this comment.
What about other plugins, like flannel?
Same with ipam plugins (host-local, dhcp).
Maybe it needs a note in readme how to enable/disable particular plugins?
There was a problem hiding this comment.
For flannel it works, can you please provide a list of binaries specific to ipam plugins?
There was a problem hiding this comment.
So /opt/cni/bin/flannel (and probably the same will be with /opt/cni/bin/bridge) does not require such entry with rix flag, right?
It will have read right to /run/flannel/subnet.env?
Mainly used ipam plugin will be probably /opt/cni/bin/host-local, which stores own data files in /var/lib/cni/networks/$NETWORK_NAME - with network name defined as in plugin config file.
There was a problem hiding this comment.
I think it's better to provide access to the main binaries anyway, if there's a possibility that they will be executed. Will update rules
skolekonov
force-pushed
the
update-apparmor
branch
from
37e61b0
to
5b29f87
Compare
There was a problem hiding this comment.
Reviewed 2 of 3 files at r1, 1 of 1 files at r2.
Reviewable status: 0 of 2 approvals obtained
There was a problem hiding this comment.
Reviewed 2 of 3 files at r1, 1 of 1 files at r2.
Reviewable status: 1 of 2 approvals obtained
This change is