moby--moby

mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Phil Sphicas 66f14e4ae9 Fix AppArmor profile docker-default /proc/sys rule The current docker-default AppArmor profile intends to block write access to everything in `/proc`, except for `/proc/<pid>` and `/proc/sys/kernel/shm`. Currently the rules block access to everything in `/proc/sys`, and do not successfully allow access to `/proc/sys/kernel/shm`. Specifically, a path like /proc/sys/kernel/shmmax matches this part of the pattern: deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]* }/** w, /proc / s y s / kernel /shmmax This patch updates the rule so that it works as intended. Closes #39791 Signed-off-by: Phil Sphicas <phil.sphicas@att.com>	2022-06-30 21:12:58 +02:00
..
apparmor.go	refactor: move from io/ioutil to io and os package	2021-08-27 14:56:57 +08:00
template.go	Fix AppArmor profile docker-default /proc/sys rule	2022-06-30 21:12:58 +02:00

Phil Sphicas 66f14e4ae9 Fix AppArmor profile docker-default /proc/sys rule

The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes #39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>

2022-06-30 21:12:58 +02:00

apparmor.go

refactor: move from io/ioutil to io and os package

2021-08-27 14:56:57 +08:00

template.go

Fix AppArmor profile docker-default /proc/sys rule

2022-06-30 21:12:58 +02:00