kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
37785 commits 10 branches 356 tags 299 MiB
Commit graph

10 commits

Author SHA1 Message Date
Goldwyn Rodrigues
b36455258f apparmor: allow readby and tracedby 
Fixes audit errors such as:

type=AVC msg=audit(1550236803.810:143):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=3181 comm="ps" requested_mask="readby" denied_mask="readby"
peer="docker-default"

audit(1550236375.918:3): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=2267 comm="ps"
requested_mask="tracedby" denied_mask="tracedby"
peer="docker-default"

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
 2019-04-22 09:11:50 -05:00
Aleksa Sarai
4822fb1e24
apparmor: allow receiving of signals from 'docker kill' 
In newer kernels, AppArmor will reject attempts to send signals to a
container because the signal originated from outside of that AppArmor
profile. Correct this by allowing all unconfined signals to be received.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2018-09-13 02:06:56 +10:00
Daniel Nephin
4f0d95fa6e Add canonical import comment 
Signed-off-by: Daniel Nephin <dnephin@docker.com>
 2018-02-05 16:51:57 -05:00
Tycho Andersen
b4a6ccbc5f drop useless apparmor denies 
These files don't exist under proc so this rule does nothing.

They are protected against by docker's default cgroup devices since they're
both character devices and not explicitly allowed.

Signed-off-by: Tycho Andersen <tycho@docker.com>
 2017-10-06 09:11:59 -06:00
Xianglin Gao
2ab8f2e389 fix apparmor load profile 
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
 2016-11-29 15:48:38 +08:00
Akihiro Suda
693b4ac67a apparmor: prohibit /sys/firmware/** from being accessed 
Some firmware information including SMBIOS and ACPI tables were unexpectedly exposed

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
 2016-09-16 02:21:31 +00:00
Aleksa Sarai
64fb664908 profiles: apparmor: remove unused fields 
ExecPath isn't used by anything, and the signal apparmor rule isn't used
because it refers to a peer that we don't ship.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2016-03-20 19:01:49 +11:00
Aleksa Sarai
284d9d451e apparmor: use correct version for ptrace denial suppression 
Ubuntu ships apparmor_parser 2.9 erroniously as "2.8.95". Fix the
incorrect version check for >=2.8, when in fact 2.8 deosn't support the
required feature.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
 2016-02-15 20:36:29 +11:00
Aleksa Sarai
4bf7a84c96 apparmor: fix version checks to work properly 
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
 2016-02-15 20:36:07 +11:00
Jessica Frazelle
35e50119fc
move default apparmor policy into package 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-21 16:55:27 -08:00