Set the default AppArmor profile to unconfined; see the following
issues:
- https://github.com/containers/common/issues/958
- https://github.com/containers/podman/issues/15874
Based on the discussion there, distros that use AppArmor should supply
their own AppArmor profile and set it in a default containers.conf,
since there is no way to load AppArmor profiles rootlessly.
Signed-off-by: Will Shand <wss2ec@g.ucla.edu>
This reverts commit 6994271ca4 since
it does not pass Podman CI (i.e., the rootless Ubuntu job fails).
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Previously, Podman would print an error if you tried to run a container
with an AppArmor profile as a non-root user, e.g.
$ podman run --security-opt apparmor=my-profile ...
Error: Apparmor profile "my-profile" specified, but Apparmor is not
enabled on this system
In fact, the only thing that Podman needs root privileges for is reading
/sys/kernel/security/apparmor/profiles to see if the profile is already
loaded, which isn't strictly necessary.
This commit removes the 'IsLoaded()' check that occurs when you try to
specify an AppArmor profile as a non-root user, as well as the other
checks in pkg/apparmor/ for whether the program is running as UID 0. The
check for whether the AppArmor profile is loaded should now be deferred
to the container runtime at the point where it writes to either
/proc/self/attr/exec or /proc/self/attr/apparmor/exec, since the write
should fail if the profile is not loaded.
Closes#958.
Signed-off-by: kernelmethod <17100608+kernelmethod@users.noreply.github.com>
Mostly all AppArmor errors are now wrapped to provide additional context
to the user what actually went wrong. We now only use the spelling
`AppArmor` rather than `apparmor` to give the errors a uniform look.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
The default AppArmor profile is now prefixed with
`container-default-$VERSION`, whereas the version is now part of a new
`version` package.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Move pkg/sysinfo and pkg/apparmor out of libpod into containers/common.
This will allow other packages to use these libraries without requiring all of libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Valentin Rothberg
Will Shand
kernelmethod
Sascha Grunert
Valentin Rothberg
Daniel J Walsh