mirror of
https://passt.top/passt
synced 2025-01-20 19:25:17 +00:00
63a8302961
If pasta and pasta.avx2 are hard links to passt and passt.avx2, AppArmor will attach their own profiles on execution, and we can restrict passt's profile to what it actually needs. Note that pasta needs to access all the resources that passt needs, so the pasta abstraction still includes passt's one. I plan to push the adaptation required for the Debian package in commit 5bb812e79143 ("debian/rules: Override pasta symbolic links with hard links"), on Salsa. If other distributions need to support AppArmor profiles they can follow a similar approach. The profile itself will be installed, there, via dh_apparmor, in a separate commit, b52557fedcb1 ("debian/rules: Install new pasta profile using dh_apparmor"). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
45 lines
1.2 KiB
Plaintext
45 lines
1.2 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-or-later
|
|
#
|
|
# PASST - Plug A Simple Socket Transport
|
|
# for qemu/UNIX domain socket mode
|
|
#
|
|
# PASTA - Pack A Subtle Tap Abstraction
|
|
# for network namespace/tap device mode
|
|
#
|
|
# contrib/apparmor/abstractions/pasta - Abstraction for pasta(1)
|
|
#
|
|
# Copyright (c) 2022 Red Hat GmbH
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <abstractions/passt>
|
|
|
|
mount "" -> "/proc/",
|
|
|
|
@{PROC}/net/tcp r, # procfs_scan_listen(), util.c
|
|
@{PROC}/net/tcp6 r,
|
|
@{PROC}/net/udp r,
|
|
@{PROC}/net/udp6 r,
|
|
|
|
@{PROC}/@{pid}/net/tcp r, # procfs_scan_listen(), util.c
|
|
@{PROC}/@{pid}/net/tcp6 r,
|
|
@{PROC}/@{pid}/net/udp r,
|
|
@{PROC}/@{pid}/net/udp6 r,
|
|
|
|
@{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c
|
|
|
|
@{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(),
|
|
@{PROC}/[0-9]*/ns/user r, # conf_pasta_ns()
|
|
|
|
/dev/net/tun rw, # tap_ns_tun(), tap.c
|
|
|
|
owner @{PROC}/@{pid}/gid_map w, # pasta_start_ns(), conf_ugid()
|
|
owner @{PROC}/@{pid}/setgroups w,
|
|
owner @{PROC}/@{pid}/uid_map rw,
|
|
|
|
owner @{PROC}/sys/net/ipv4/ping_group_range w, # pasta_spawn_cmd(), pasta.c
|
|
/{usr/,}bin/** Ux,
|
|
|
|
/usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c
|