containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
automation-tests/common
History
kernelmethod 6994271ca4 Allow rootless containers to use AppArmor profiles 
Previously, Podman would print an error if you tried to run a container
with an AppArmor profile as a non-root user, e.g.

    $ podman run --security-opt apparmor=my-profile ...
    Error: Apparmor profile "my-profile" specified, but Apparmor is not
    enabled on this system

In fact, the only thing that Podman needs root privileges for is reading
/sys/kernel/security/apparmor/profiles to see if the profile is already
loaded, which isn't strictly necessary.

This commit removes the 'IsLoaded()' check that occurs when you try to
specify an AppArmor profile as a non-root user, as well as the other
checks in pkg/apparmor/ for whether the program is running as UID 0. The
check for whether the AppArmor profile is loaded should now be deferred
to the container runtime at the point where it writes to either
/proc/self/attr/exec or /proc/self/attr/apparmor/exec, since the write
should fail if the profile is not loaded.

Closes #958.

Signed-off-by: kernelmethod <17100608+kernelmethod@users.noreply.github.com>
 		2022-03-11 13:57:50 -07:00
..
.github
cmd/seccomp
docs Add ExitCommandDelay as configuration in EngineConfig with default of 5 minutes in seconds. 2022-02-24 15:51:05 +01:00
libimage libimage: image lookup: fix ID vs short name 2022-02-24 14:42:37 +01:00
libnetwork netavark: warn only if network has DNSEnabled and aardvark binary is not found 2022-03-04 11:03:24 +05:30
logos
pkg Allow rootless containers to use AppArmor profiles 2022-03-11 13:57:50 -07:00
tests
tools
vendor Merge pull request #957 from containers/dependabot/go_modules/github.com/spf13/cobra-1.4.0 2022-03-11 05:02:09 -05:00
version Move to v0.47.4+dev 2022-02-08 13:15:17 -05:00
.cirrus.yml Cirrus: Make netavark binary available to unit tests 2022-01-13 10:03:34 -05:00
.gitignore remove coverprofile from git history 2022-02-14 14:28:49 +01:00
.golangci.yml libnetwork: fix lint errors 2021-12-17 14:24:21 +01:00
CODE-OF-CONDUCT.md Change Libpod to Podman 2022-01-26 08:36:56 -05:00
CONTRIBUTING.md
LICENSE
Makefile Run codespell on code 2022-01-21 07:47:02 -05:00
OWNERS add @Luap99 to OWNERS 2021-06-10 11:08:52 +02:00
README.md Update README.md 2022-02-23 17:58:54 +01:00
SECURITY.md
go.mod Merge pull request #957 from containers/dependabot/go_modules/github.com/spf13/cobra-1.4.0 2022-03-11 05:02:09 -05:00
go.sum Merge pull request #957 from containers/dependabot/go_modules/github.com/spf13/cobra-1.4.0 2022-03-11 05:02:09 -05:00

README.md

containers/common

Location for shared common files and common go code to manage those files in github.com/containers repos.

The common files to one or more projects in the containers group will be kept in this repository.

It will be up to the individual projects to include the files from this repository.

seccomp

The seccomp package in pkg/seccomp is a set of Go libraries used by container runtimes to generate and load seccomp mappings into the kernel.

seccomp (short for secure computing mode) is a BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.

Building the seccomp.json file

The make target make seccomp.json generates the seccomp.json file, which contains the allowed list of syscalls that can be used by container runtime engines like CRI-O, Buildah, Podman and Docker, and container runtimes like OCI Runc to control the syscalls available to containers.

Supported build tags

Contributing

When developing this library, please use make (or make … BUILDTAGS=…) to take advantage of the tests and validation.

Contact