Update seccomp and apaprmorprofile

Change-Id: Ie5183b2d1f0550ab463f4c3d0fd713d1de6ec39b
Signed-off-by: Cosmin Cojocar <[email protected]>

deploy/base/profiles/bpf-recorder.json

@@ -17,7 +17,6 @@
         "capget",
         "capset",
         "chdir",
-        "clone",
         "clone3",
         "close",
         "connect",
@@ -28,9 +27,7 @@
         "epoll_wait",
         "eventfd2",
         "execve",
-        "exit_group",
         "faccessat2",
-        "fchdir",
         "fchownat",
         "fcntl",
         "fstat",
@@ -47,24 +44,18 @@
         "getsockopt",
         "gettid",
         "ioctl",
-        "keyctl",
         "listen",
         "lseek",
         "madvise",
         "memfd_create",
-        "mkdirat",
-        "mknodat",
         "mmap",
-        "mount",
         "mprotect",
         "mremap",
         "munmap",
         "nanosleep",
         "newfstatat",
         "openat",
         "perf_event_open",
-        "pipe2",
-        "pivot_root",
         "prctl",
         "pread64",
         "prlimit64",
@@ -82,18 +73,13 @@
         "setgid",
         "setgroups",
         "setrlimit",
-        "setsid",
         "setsockopt",
         "setuid",
         "sigaltstack",
         "socket",
         "statfs",
-        "symlinkat",
         "tgkill",
-        "umask",
-        "umount2",
         "uname",
-        "unlinkat",
         "write"
       ],
       "action": "SCMP_ACT_ALLOW"

deploy/base/profiles/bpfrecorder-apparmor.yaml

@@ -11,9 +11,6 @@ spec:
       allowedCapabilities:
       - bpf
       - chown
-      - dac_override
-      - dac_read_search
-      - mknod
       - perfmon
       - setgid
       - setuid
@@ -24,29 +21,25 @@ spec:
       - /security-profiles-operator
     filesystem:
       readOnlyPaths:
-      - /
       - /proc/@{pid}/cgroup
-      - /proc/@{pid}/fd/
+      - /proc/@{pid}/fd/**
       - /proc/@{pid}/maps
-      - /proc/@{pid}/mountinfo
       - /proc/@{pid}/setgroups
       - /proc/@{pid}/status
-      - /proc/@{pid}/uid_map
-      - /proc/filesystems
-      - /proc/sys/kernel/cap_last_cap
       - /proc/sys/net/core/somaxconn
       - /sys/devices/kprobe/type
-      - /sys/devices/system/cpu/online
-      - /sys/fs/bpf/
+      - /sys/fs/bpf/**
       - /sys/kernel/btf/vmlinux
       - /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/id
       - /sys/kernel/debug/tracing/events/sched/sched_process_exec/id
       - /sys/kernel/debug/tracing/events/sched/sched_process_exit/id
+      - /sys/kernel/debug/tracing/events/syscalls/sys_enter_prctl/id
       - /sys/kernel/debug/tracing/events/syscalls/sys_enter_socket/id
+      - /sys/kernel/debug/tracing/events/syscalls/sys_exit_clone/id
       - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
       - /sys/kernel/security/lsm
       readWritePaths:
-      - /dev/null
+      - /var/run/**
     network:
       allowedProtocols:
         allowTcp: true

deploy/base/profiles/security-profiles-operator.json

@@ -10,89 +10,70 @@
     {
       "names": [
         "accept4",
-        "access",
         "arch_prctl",
         "bind",
         "brk",
         "capget",
         "capset",
         "chdir",
-        "clock_gettime",
-        "clone",
         "clone3",
         "close",
         "connect",
         "epoll_create1",
         "epoll_ctl",
         "epoll_pwait",
-        "epoll_wait",
         "eventfd2",
         "execve",
-        "exit",
         "exit_group",
-        "fchown",
+        "faccessat2",
         "fcntl",
-        "flock",
         "fstat",
         "fstatfs",
-        "fsync",
         "futex",
         "getcwd",
         "getdents64",
-        "getgid",
         "getpeername",
-        "getpgrp",
         "getpid",
         "getppid",
         "getrandom",
         "getrlimit",
         "getsockname",
         "getsockopt",
         "gettid",
-        "getuid",
         "inotify_add_watch",
         "inotify_init1",
         "listen",
-        "lseek",
         "madvise",
-        "membarrier",
-        "mkdirat",
-        "mlock",
         "mmap",
         "mprotect",
         "munmap",
         "nanosleep",
         "newfstatat",
-        "open",
         "openat",
-        "pipe2",
         "prctl",
         "pread64",
         "prlimit64",
         "read",
-        "readlink",
         "readlinkat",
-        "renameat",
         "rseq",
         "rt_sigaction",
         "rt_sigprocmask",
         "rt_sigreturn",
         "sched_getaffinity",
         "sched_yield",
+        "seccomp",
         "set_robust_list",
         "set_tid_address",
         "setgid",
         "setgroups",
-        "setrlimit",
         "setsockopt",
         "setuid",
         "sigaltstack",
         "socket",
         "statfs",
         "tgkill",
-        "time",
         "uname",
-        "unlinkat",
+        "unshare",
         "write"
       ],
       "action": "SCMP_ACT_ALLOW"

deploy/base/profiles/spo-apparmor.yaml

@@ -9,40 +9,24 @@ spec:
   abstract:
     capability:
       allowedCapabilities:
-      - chown
-      - dac_override
-      - dac_read_search
-      - fowner
-      - fsetid
-      - mknod
       - setgid
-      - setpcap
       - setuid
       - sys_admin
     executable:
       allowedExecutables:
       - /security-profiles-operator
     filesystem:
       readOnlyPaths:
-      - /
-      - /opt/spo-profiles/**
-      - /proc/@{pid}/fd/
+      - /proc/@{pid}/fd/**
       - /proc/@{pid}/maps
-      - /proc/@{pid}/mountinfo
       - /proc/@{pid}/setgroups
       - /proc/@{pid}/status
-      - /proc/@{pid}/uid_map
-      - /proc/filesystems
-      - /proc/sys/kernel/cap_last_cap
       - /proc/sys/net/core/somaxconn
       - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
       readWritePaths:
-      - /dev/null
-      - /host/var/lib/kubelet/seccomp/**
-      - /var/lib/security-profiles-operator/kubelet-config.json
+      - /var/run/**
     network:
       allowedProtocols:
         allowTcp: true
         allowUdp: true
   disabled: false
-