moby/profiles at 99f10dec91409c4f6ed2c4867638f4e5ea678f0a - 0ct0pu5/moby

History

Phil Sphicas b1c04fc6cd Fix AppArmor profile docker-default /proc/sys rule The current docker-default AppArmor profile intends to block write access to everything in `/proc`, except for `/proc/<pid>` and `/proc/sys/kernel/shm`. Currently the rules block access to everything in `/proc/sys`, and do not successfully allow access to `/proc/sys/kernel/shm`. Specifically, a path like /proc/sys/kernel/shmmax matches this part of the pattern: deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]* }/** w, /proc / s y s / kernel /shmmax This patch updates the rule so that it works as intended. Closes #39791 Signed-off-by: Phil Sphicas <phil.sphicas@att.com> (cherry picked from commit `66f14e4ae9`) Signed-off-by: Ameya Gawde <agawde@mirantis.com>	2023-06-08 10:23:22 -07:00
..
apparmor	Fix AppArmor profile docker-default /proc/sys rule	2023-06-08 10:23:22 -07:00
seccomp	refactor: move from io/ioutil to io and os package	2023-02-24 16:11:55 -05:00

Fix AppArmor profile docker-default /proc/sys rule

The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes #39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>
(cherry picked from commit 66f14e4ae9)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>

2023-06-08 10:23:22 -07:00

apparmor Fix AppArmor profile docker-default /proc/sys rule 2023-06-08 10:23:22 -07:00

seccomp refactor: move from io/ioutil to io and os package 2023-02-24 16:11:55 -05:00