mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-29 05:17:59 +00:00
Update how to setup a policy namespace for containers
parent
9143a398b9
commit
25ce732a78
@ -2,6 +2,11 @@
|
||||
|
||||
bla bla bla, dependent on apparmor version and kernel version
|
||||
|
||||
# Base Requirements
|
||||
|
||||
* [A kernel that supports LSM stacking](how-to-setup-a-policy-namespace-for-containers#Stacking-Kernel-Requirements)
|
||||
* [Authority to create an apparmor policy namespace](how-to-setup-a-policy-namespace-for-containers#Authority-to-create-a-policy-namespace)
|
||||
|
||||
# snappy
|
||||
|
||||
Is not required for snappy. Snappy applications don't load their own policy, snapd does it for them.
|
||||
@ -19,11 +24,10 @@ need the display lsm set
|
||||
Lxd already supports creating apparmor child namespaces.
|
||||
Nesting requirement with user namespaces
|
||||
|
||||
# Stacking Kernel Requirements
|
||||
|
||||
Caveat: Audit subsystem is not namespaced
|
||||
# Authority to create a policy namespace
|
||||
|
||||
## Authority to create a policy namespace
|
||||
Depends on apparmor and kernel versions
|
||||
|
||||
* kernels up to ??? require capability MAC_ADMIN in the user namespace.
|
||||
|
||||
@ -31,6 +35,12 @@ Caveat: Audit subsystem is not namespaced
|
||||
|
||||
* kernels ??? add the ability for users to create/admin their own policy.
|
||||
|
||||
|
||||
# Stacking Kernel Requirements
|
||||
|
||||
Caveat: Audit subsystem is not namespaced
|
||||
|
||||
|
||||
## Nesting Requirement
|
||||
|
||||
if apparmor policy namespaces are used in conjunction with user namespaces. There is a nesting limit.
|
||||
|
Loading…
x
Reference in New Issue
Block a user