moby/profiles
Phil Sphicas 66f14e4ae9 Fix AppArmor profile docker-default /proc/sys rule
The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes #39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>
2022-06-30 21:12:58 +02:00
..
apparmor Fix AppArmor profile docker-default /proc/sys rule 2022-06-30 21:12:58 +02:00
seccomp all: use unix.ByteSliceToString for utsname fields 2022-05-18 17:13:20 -07:00