containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
automation-tests/common/pkg
History
kernelmethod 6994271ca4 Allow rootless containers to use AppArmor profiles 
Previously, Podman would print an error if you tried to run a container
with an AppArmor profile as a non-root user, e.g.

    $ podman run --security-opt apparmor=my-profile ...
    Error: Apparmor profile "my-profile" specified, but Apparmor is not
    enabled on this system

In fact, the only thing that Podman needs root privileges for is reading
/sys/kernel/security/apparmor/profiles to see if the profile is already
loaded, which isn't strictly necessary.

This commit removes the 'IsLoaded()' check that occurs when you try to
specify an AppArmor profile as a non-root user, as well as the other
checks in pkg/apparmor/ for whether the program is running as UID 0. The
check for whether the AppArmor profile is loaded should now be deferred
to the container runtime at the point where it writes to either
/proc/self/attr/exec or /proc/self/attr/apparmor/exec, since the write
should fail if the profile is not loaded.

Closes #958.

Signed-off-by: kernelmethod <17100608+kernelmethod@users.noreply.github.com>
 		2022-03-11 13:57:50 -07:00
..
apparmor Allow rootless containers to use AppArmor profiles 2022-03-11 13:57:50 -07:00
auth Fix console password reading on Windows 2022-02-03 16:49:18 -06:00
capabilities Fix handling of all capabilities 2021-05-14 07:04:14 -04:00
cgroups fix: fixup memory usage for cgroup v2 2021-12-26 21:47:07 +08:00
cgroupv2 cgroupv2: fix typo in comment 2021-01-20 09:44:05 +01:00
chown [NO TESTS NEEDED] Remove some stuttering on return errors 2021-03-29 10:33:18 -04:00
completion Add autocompletions to be shared between buildah and podman 2021-02-19 05:55:45 -05:00
config Fix ImageCopyTmpDir for windows 2022-03-08 19:40:10 +01:00
configmaps Add configmap backend 2022-01-14 09:56:51 +01:00
download pkg/download: for downloading files into tmp 2021-11-10 14:41:42 +01:00
filters Merge pull request #527 from rhatdan/cleanup 2021-05-05 17:09:54 -04:00
flag Run codespell on code 2022-01-21 07:47:02 -05:00
formats new libimage package 2021-04-21 11:17:47 +02:00
manifests manifests: set MediaType in OCI manifests and indexes 2021-11-29 17:46:47 -05:00
netns libnetwork: fix lint errors 2021-12-17 14:24:21 +01:00
parse parse: allow extra options for idmap 2022-02-14 17:33:00 +01:00
report Refactor report package to be more compatible 2021-11-19 11:11:07 -07:00
retry Make errcode.ErrorCodeDenied not retryable 2021-12-03 17:51:33 +01:00
seccomp Add support for seccomp `ListenerPath` and `ListenerMetadata` 2022-02-28 11:37:02 +01:00
secrets Run codespell on code 2022-01-21 07:47:02 -05:00
signal new libimage package 2021-04-21 11:17:47 +02:00
subscriptions fips: omit unneeded defer 2022-01-20 15:07:21 -05:00
supplemented manifests: set MediaType in OCI manifests and indexes 2021-11-29 17:46:47 -05:00
sysctl Update pkg/sysctl/sysctl.go 2021-08-19 19:29:53 -07:00
sysinfo Standardize on capatalize logrus messages, remove stutters 2021-09-24 14:35:52 -04:00
timetype add pkg/{filters,timetype} 2021-04-06 14:39:54 +02:00
umask Fix Function names to not stutter 2020-11-20 15:23:22 -05:00
util util: fix GetRuntimeDir permission check 2022-03-02 09:20:29 +01:00