deploy/apparmor/virtlet
#include <tunables/global>
profile virtlet flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/libvirt-qemu>
#include <abstractions/nameservice>
allow mount,
allow umount,
allow ptrace (read,trace) peer="unconfined",
capability net_admin,
capability net_raw,
capability sys_admin,
capability sys_chroot,
capability sys_ptrace,
network inet raw,
network inet6 raw,
/ r,
/bin/sleep ix,
/etc/ethertypes r,
/etc/cni/net.d/ r,
/etc/cni/net.d/* r,
/etc/kubernetes/kubelet.kubeconfig r,
/etc/kubernetes/ssl/* r,
/etc/virtlet/images/ r,
/etc/virtlet/images/** r,
/{usr/,}bin/genisoimage rix,
/{usr/,}bin/socat rix,
/{usr/,}bin/ip rix,
/{usr/,}bin/nsenter rix,
/{usr/,}bin/qemu-img rix,
/{usr/,}sbin/ebtables rix,
/{usr/,}sbin/brctl rix,
/opt/cni/bin/bridge rix,
/opt/cni/bin/calico* rix,
/opt/cni/bin/flannel rix,
/opt/cni/bin/genie rix,
/opt/cni/bin/host-local rix,
/usr{/local,}/bin/virtlet mrix,
/usr{/local,}/lib/lib{virt,guest}*.so* rm,
/var/lib/cni/networks/* r,
/var/lib/etcd/*.pem r,
/var/lib/calico/nodename r,
/var/lib/docker/overlay2/** r,
/var/lib/libvirt/virtd* ixr,
/var/lib/libvirt/*.sock rw,
/var/lib/virtlet/** rwk,
/var/lib/kubelet/pods/** rw,
/var/log/pods/** rw,
/{var/,}tmp/{,**} rw,
@{PROC}/@{pid}/net/psched r,
@{PROC}/@{pid}/net/ipv6_route r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/environ r,
@{PROC}/sys/kernel/hostname r,
@{PROC}/sys/net/core/somaxconn r,
@{PROC}/sys/net/ipv4/conf/cali*/* w,
@{PROC}/sys/net/ipv4/neigh/cali*/* w,
@{PROC}/sys/net/ipv4/ip_forward w,
/run/flannel/* r,
/run/libvirt/libvirt-sock rw,
/run/virtlet.sock rw,
/run/virtlet-diag.sock rw,
/run/netns/ rw,
/run/netns/* rw,
/sys/class/net/ r,
/sys/devices/pci*/*/*/ r,
/sys/devices/pci*/*/*/* r,
/sys/devices/virtual/net/br*/bridge/ageing_time rw,
/sys/bus/pci/devices/ r,
/sys/bus/pci/devices/*/driver/unbind w,
/start.sh r,
}