diff --git a/api/apparmorprofile/v1alpha1/apparmorprofile_types.go b/api/apparmorprofile/v1alpha1/apparmorprofile_types.go index 7614925324..7d34633993 100644 --- a/api/apparmorprofile/v1alpha1/apparmorprofile_types.go +++ b/api/apparmorprofile/v1alpha1/apparmorprofile_types.go @@ -82,6 +82,8 @@ type AppArmorAbstract struct { Network *AppArmorNetworkRules `json:"network,omitempty"` // Capability rules for Linux capabilities. Capability *AppArmorCapabilityRules `json:"capability,omitempty"` + // Extra rules for other config. + Extra string `json:"extra,omitempty"` } // AppArmorProfileSpec defines the desired state of AppArmorProfile. diff --git a/deploy/base-crds/crds/apparmorprofile.yaml b/deploy/base-crds/crds/apparmorprofile.yaml index 09fce2b40a..7e6d13844d 100644 --- a/deploy/base-crds/crds/apparmorprofile.yaml +++ b/deploy/base-crds/crds/apparmorprofile.yaml @@ -72,6 +72,9 @@ spec: type: string type: array type: object + extra: + description: Extra rules for other config. + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/base/role.yaml b/deploy/base/role.yaml index 5a142b7acd..e73d251a27 100644 --- a/deploy/base/role.yaml +++ b/deploy/base/role.yaml @@ -326,92 +326,3 @@ rules: - securitycontextconstraints verbs: - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: spo-webhook -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - security-profiles-operator.x-k8s.io - resources: - - profilebindings - - profilerecordings - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - security-profiles-operator.x-k8s.io - resources: - - profilebindings/finalizers - - profilerecordings/finalizers - verbs: - - delete - - get - - patch - - update -- apiGroups: - - security-profiles-operator.x-k8s.io - resources: - - profilebindings/status - - profilerecordings/status - verbs: - - get - - patch - - update -- apiGroups: - - security-profiles-operator.x-k8s.io - resources: - - seccompprofiles - - selinuxprofiles - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: spo-webhook - namespace: security-profiles-operator -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resourceNames: - - security-profiles-operator-webhook-lock - resources: - - leases - verbs: - - get - - patch - - update -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - verbs: - - use diff --git a/deploy/helm/crds/crds.yaml b/deploy/helm/crds/crds.yaml index 05ecdb96af..a7ac3f4916 100644 --- a/deploy/helm/crds/crds.yaml +++ b/deploy/helm/crds/crds.yaml @@ -2311,6 +2311,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/namespace-operator.yaml b/deploy/namespace-operator.yaml index c72c6dfdb0..dd9bb787df 100644 --- a/deploy/namespace-operator.yaml +++ b/deploy/namespace-operator.yaml @@ -2311,6 +2311,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/openshift-dev.yaml b/deploy/openshift-dev.yaml index c3bfd25557..5b6f90b420 100644 --- a/deploy/openshift-dev.yaml +++ b/deploy/openshift-dev.yaml @@ -85,6 +85,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/openshift-downstream.yaml b/deploy/openshift-downstream.yaml index 66c2966941..75fc1fbb3f 100644 --- a/deploy/openshift-downstream.yaml +++ b/deploy/openshift-downstream.yaml @@ -2311,6 +2311,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/operator.yaml b/deploy/operator.yaml index dd957762de..e72b89f04f 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -2311,6 +2311,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/deploy/webhook-operator.yaml b/deploy/webhook-operator.yaml index 9dd24dfab1..fae0fcf37f 100644 --- a/deploy/webhook-operator.yaml +++ b/deploy/webhook-operator.yaml @@ -85,6 +85,8 @@ spec: type: string type: array type: object + extra: + type: string filesystem: description: Filesystem rules for filesystem access. properties: diff --git a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go index e561552530..367bae9e1c 100644 --- a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go +++ b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go @@ -80,6 +80,7 @@ profile {{.Name}} flags=({{.ProfileMode}},attach_disconnected,mediate_deleted) { {{end}} # Raw rules placeholder + {{.Abstract.Extra}} # Add default deny for known information leak/priv esc paths deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)