timstclair/loader.yaml

## loader.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: apparmor-profiles
data:
  docker-default-audit: |-
    #include <tunables/global>
    profile docker-default-audit flags=(attach_disconnected,mediate_deleted) {

      #include <abstractions/base>

      network,
      capability,
      file,
      umount,

      deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
      # deny write to files not in /proc/<number>/** or /proc/sys/**
      deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
      deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
      deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
      deny @{PROC}/sysrq-trigger rwklx,
      deny @{PROC}/mem rwklx,
      deny @{PROC}/kmem rwklx,
      deny @{PROC}/kcore rwklx,

      deny mount,

      deny /sys/[^f]*/** wklx,
      deny /sys/f[^s]*/** wklx,
      deny /sys/fs/[^c]*/** wklx,
      deny /sys/fs/c[^g]*/** wklx,
      deny /sys/fs/cg[^r]*/** wklx,
      deny /sys/firmware/efi/efivars/** rwklx,
      deny /sys/kernel/security/** rwklx,


      # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
      ptrace (trace,read) peer=docker-default,

      # END docker-default

      # Audit all writes!
      audit /** w,
    }
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: apparmor-loader
spec:
  template:
    metadata:
      name: apparmor-loader
      labels:
        daemon: apparmor-loader
    spec:
      containers:
      - name: apparmor-loader
        image: google/apparmor-loader:latest
        args:
          # Tell the loader to pull the /profiles directory every 30 seconds.
          - -poll
          - 30s
          - /profiles
        securityContext:
          # The loader requires root permissions to actually load the profiles.
          privileged: true
        volumeMounts:
        - name: sys
          mountPath: /sys
          readOnly: true
        - name: apparmor-includes
          mountPath: /etc/apparmor.d
          readOnly: true
        - name: profiles
          mountPath: /profiles
          readOnly: true
      volumes:
      # The /sys directory must be mounted to interact with the AppArmor module.
      - name: sys
        hostPath:
          path: /sys
      # The /etc/apparmor.d directory is required for most apparmor include templates.
      - name: apparmor-includes
        hostPath:
          path: /etc/apparmor.d
      # Map in the profile data.
      - name: profiles
        configMap:
          name: apparmor-profiles

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: apparmor-profiles
	data:
	docker-default-audit: \|-
	#include <tunables/global>
	profile docker-default-audit flags=(attach_disconnected,mediate_deleted) {

	#include <abstractions/base>

	network,
	capability,
	file,
	umount,

	deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
	# deny write to files not in /proc/<number>/ or /proc/sys/
	deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]}/* w,
	deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
	deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]*} w, # deny everything except shm in /proc/sys/kernel/
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/mem rwklx,
	deny @{PROC}/kmem rwklx,
	deny @{PROC}/kcore rwklx,

	deny mount,

	deny /sys/[^f]/* wklx,
	deny /sys/f[^s]/* wklx,
	deny /sys/fs/[^c]/* wklx,
	deny /sys/fs/c[^g]/* wklx,
	deny /sys/fs/cg[^r]/* wklx,
	deny /sys/firmware/efi/efivars/** rwklx,
	deny /sys/kernel/security/** rwklx,


	# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
	ptrace (trace,read) peer=docker-default,

	# END docker-default

	# Audit all writes!
	audit /** w,
	}
	---
	apiVersion: extensions/v1beta1
	kind: DaemonSet
	metadata:
	name: apparmor-loader
	spec:
	template:
	metadata:
	name: apparmor-loader
	labels:
	daemon: apparmor-loader
	spec:
	containers:
	- name: apparmor-loader
	image: google/apparmor-loader:latest
	args:
	# Tell the loader to pull the /profiles directory every 30 seconds.
	- -poll
	- 30s
	- /profiles
	securityContext:
	# The loader requires root permissions to actually load the profiles.
	privileged: true
	volumeMounts:
	- name: sys
	mountPath: /sys
	readOnly: true
	- name: apparmor-includes
	mountPath: /etc/apparmor.d
	readOnly: true
	- name: profiles
	mountPath: /profiles
	readOnly: true
	volumes:
	# The /sys directory must be mounted to interact with the AppArmor module.
	- name: sys
	hostPath:
	path: /sys
	# The /etc/apparmor.d directory is required for most apparmor include templates.
	- name: apparmor-includes
	hostPath:
	path: /etc/apparmor.d
	# Map in the profile data.
	- name: profiles
	configMap:
	name: apparmor-profiles