Skip to content

apparmor: add DumpDefaultProfile#5134

Merged
crosbymichael merged 1 commit intocontainerd:masterfrom
AkihiroSuda:dump-apparmor
Mar 8, 2021
Merged

apparmor: add DumpDefaultProfile#5134
crosbymichael merged 1 commit intocontainerd:masterfrom
AkihiroSuda:dump-apparmor

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented Mar 8, 2021
edited
Loading

This function will be used by nerdctl for printing the default AppArmor profile: nerdctl system inspect apparmor-profile

$ go test -v -run TestDumpDefaultProfile
=== RUN   TestDumpDefaultProfile
    apparmor_test.go:117: Generated profile "test-dump-default-profile"
    apparmor_test.go:118: 
        
        #include <tunables/global>
        
        
        profile test-dump-default-profile flags=(attach_disconnected,mediate_deleted) {
        
          #include <abstractions/base>
        
        
          network,
          capability,
          file,
          umount,
        
          deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
          # deny write to files not in /proc/<number>/** or /proc/sys/**
          deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
          deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
          deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
          deny @{PROC}/sysrq-trigger rwklx,
          deny @{PROC}/mem rwklx,
          deny @{PROC}/kmem rwklx,
          deny @{PROC}/kcore rwklx,
        
          deny mount,
        
          deny /sys/[^f]*/** wklx,
          deny /sys/f[^s]*/** wklx,
          deny /sys/fs/[^c]*/** wklx,
          deny /sys/fs/c[^g]*/** wklx,
          deny /sys/fs/cg[^r]*/** wklx,
          deny /sys/firmware/** rwklx,
          deny /sys/kernel/security/** rwklx,
        
        
          ptrace (trace,read) peer=test-dump-default-profile,
        
        }
        
--- PASS: TestDumpDefaultProfile (0.00s)
PASS
ok      github.com/containerd/containerd/contrib/apparmor       0.007s

@AkihiroSuda
apparmor: add DumpDefaultProfile
0580bd6 
This function will be used by nerdctl for printing the default AppArmor
profile: `nerdctl system inspect apparmor-profile`

Signed-off-by: Akihiro Suda <[email protected]>
@theopenlab-ci
Copy link
Copy Markdown

theopenlab-ci Bot commented Mar 8, 2021

Build succeeded.

estesp
estesp approved these changes Mar 8, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mikebrow
mikebrow approved these changes Mar 8, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@mikebrow mikebrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@crosbymichael crosbymichael merged commit da137a7 into containerd:master Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crosbymichael crosbymichael crosbymichael approved these changes

@estesp estesp estesp approved these changes

@mikebrow mikebrow mikebrow approved these changes

Assignees

No one assigned

Labels

kind/enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AkihiroSuda @crosbymichael @estesp @mikebrow