Skip to content

apparmor: do not save profile to /etc/apparmor.d#26518

Merged
justincormack merged 1 commit intomoby:masterfrom
SUSE:dont-write-aa-profile-to-etc
Sep 13, 2016
Merged

apparmor: do not save profile to /etc/apparmor.d#26518
justincormack merged 1 commit intomoby:masterfrom
SUSE:dont-write-aa-profile-to-etc

Conversation

@cyphar
Copy link
Copy Markdown
Contributor

@cyphar cyphar commented Sep 13, 2016

Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.

Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.

Fixes #24786.

cute kitteh

Signed-off-by: Aleksa Sarai asarai@suse.de

@cyphar
apparmor: do not save profile to /etc/apparmor.d
2f7596a 
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.

Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
@cyphar
Copy link
Copy Markdown
Contributor Author

cyphar commented Sep 13, 2016

/cc @tonistiigi

@justincormack
Copy link
Copy Markdown
Contributor

justincormack commented Sep 13, 2016

LGTM

@vdemeester
Copy link
Copy Markdown
Member

vdemeester commented Sep 13, 2016

LGTM 🐸

@justincormack
Copy link
Copy Markdown
Contributor

justincormack commented Sep 13, 2016

Windows failure unrelated.

@justincormack justincormack merged commit 379b02b into moby:master Sep 13, 2016
@cyphar cyphar deleted the dont-write-aa-profile-to-etc branch September 13, 2016 11:40
@cyphar cyphar restored the dont-write-aa-profile-to-etc branch September 13, 2016 11:40
@thaJeztah thaJeztah added this to the 1.13.0 milestone Sep 13, 2016
@justincormack justincormack mentioned this pull request Sep 22, 2016
Closed
@justincormack justincormack mentioned this pull request Dec 3, 2016
Closed
@cyphar cyphar deleted the dont-write-aa-profile-to-etc branch December 5, 2016 13:14
@spawnflagger spawnflagger mentioned this pull request May 5, 2017
Open
@cyphar cyphar mentioned this pull request Oct 22, 2020
Open
@thaJeztah thaJeztah mentioned this pull request Apr 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/security/apparmor status/2-code-review

Projects

None yet

Milestone

1.13.0

Development

Successfully merging this pull request may close these issues.

5 participants

@cyphar @justincormack @vdemeester @thaJeztah @GordonTheTurtle