Skip to content

Commit 2e19a4d

Browse files
thaJeztahthaJeztah
committed
contrib/apparmor: remove version-conditionals (< 2.9) from template
These conditions were added in 8cf8924 to account for old versions of debian/ubuntu (apparmor_parser < 2.9) that lacked some options; > This allows us to use the apparmor profile we have in contrib/apparmor/ > and solves the problems where certain functions are not apparent on older > versions of apparmor_parser on debian/ubuntu. Those patches were from 2015/2016, and all currently supported distro versions should now have more current versions than that. Looking at the oldest supported versions; Ubuntu 18.04 "Bionic": apparmor_parser --version AppArmor parser version 2.12 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2012 Canonical Ltd. Debian 10 "Buster" apparmor_parser --version AppArmor parser version 2.13.2 Copyright (C) 1999-2008 Novell Inc. Copyright 2009-2018 Canonical Ltd. This patch removes the conditionals. Signed-off-by: Sebastiaan van Stijn <[email protected]>
1 parent 7008a51 commit 2e19a4d

1 file changed

Lines changed: 0 additions & 14 deletions

File tree

contrib/apparmor/template.go

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
2020
2121
umount,
2222
pivot_root,
23-
{{if ge .Version 209000}}
2423
signal (receive) peer=@{profile_name},
2524
signal (receive) peer=unconfined,
2625
signal (send),
27-
{{end}}
2826
network,
2927
capability,
3028
owner /** rw,
@@ -47,12 +45,10 @@ profile /usr/bin/docker (attach_disconnected, complain) {
4745
/etc/ld.so.cache r,
4846
/etc/passwd r,
4947
50-
{{if ge .Version 209000}}
5148
ptrace peer=@{profile_name},
5249
ptrace (read) peer=docker-default,
5350
deny ptrace (trace) peer=docker-default,
5451
deny ptrace peer=/usr/bin/docker///bin/ps,
55-
{{end}}
5652
5753
/usr/lib/** rm,
5854
/lib/** rm,
@@ -73,11 +69,9 @@ profile /usr/bin/docker (attach_disconnected, complain) {
7369
/sbin/zfs rCx,
7470
/sbin/apparmor_parser rCx,
7571
76-
{{if ge .Version 209000}}
7772
# Transitions
7873
change_profile -> docker-*,
7974
change_profile -> unconfined,
80-
{{end}}
8175
8276
profile /bin/cat (complain) {
8377
/etc/ld.so.cache r,
@@ -99,10 +93,8 @@ profile /usr/bin/docker (attach_disconnected, complain) {
9993
/dev/null rw,
10094
/bin/ps mr,
10195
102-
{{if ge .Version 209000}}
10396
# We don't need ptrace so we'll deny and ignore the error.
10497
deny ptrace (read, trace),
105-
{{end}}
10698
10799
# Quiet dac_override denials
108100
deny capability dac_override,
@@ -120,15 +112,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
120112
/proc/tty/drivers r,
121113
}
122114
profile /sbin/iptables (complain) {
123-
{{if ge .Version 209000}}
124115
signal (receive) peer=/usr/bin/docker,
125-
{{end}}
126116
capability net_admin,
127117
}
128118
profile /sbin/auplink flags=(attach_disconnected, complain) {
129-
{{if ge .Version 209000}}
130119
signal (receive) peer=/usr/bin/docker,
131-
{{end}}
132120
capability sys_admin,
133121
capability dac_override,
134122
@@ -147,9 +135,7 @@ profile /usr/bin/docker (attach_disconnected, complain) {
147135
/proc/[0-9]*/mounts rw,
148136
}
149137
profile /sbin/modprobe /bin/kmod (complain) {
150-
{{if ge .Version 209000}}
151138
signal (receive) peer=/usr/bin/docker,
152-
{{end}}
153139
capability sys_module,
154140
/etc/ld.so.cache r,
155141
/lib/** rm,

0 commit comments

Comments
 (0)