Conversation
|
Linting failure will be fixed by #11 |
| # Container processes may send signals amongst themselves. | ||
| signal (send,receive) peer={{.Name}}, | ||
|
|
||
| deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) |
There was a problem hiding this comment.
While comparing, I also noticed that containerd has a special rule for RootlessKit;
@AkihiroSuda curious; should the moby profile have this as well? (I'm also looking if we can someday reconcile the profiles and share the same module perhaps)
There was a problem hiding this comment.
Yes, better to reconcile the profiles in the same module
There was a problem hiding this comment.
Yup! I wasn't sure about the RootlessKit one and if it would also be needed for Moby and/or impact moby somehow; if there's no "risk", then we could already add it I guess (we can probably still control the parameter to enable/disable it).
I still need to look at some of the other code in containerd; I want to keep the code as minimal as possible, but at least having the same profiles would be good.
Also need to look if Moby's contrib/apparmor should be migrated to this repo as well; https://github.com/moby/moby/tree/b11b687b6ab8faa84bbe664042770e91a1b2288f/contrib/apparmor
Upstream the improvement made in containerd [containerd@5098827]. [containerd@5098827]: containerd/containerd@5098827 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2 participants
Upstream the improvement made in containerd containerd@5098827.