2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 05:17:59 +00:00

Update how to setup a policy namespace for containers

John Johansen 2019-05-02 22:18:59 +00:00
parent 9143a398b9
commit 25ce732a78

@ -2,6 +2,11 @@
bla bla bla, dependent on apparmor version and kernel version
# Base Requirements
* [A kernel that supports LSM stacking](how-to-setup-a-policy-namespace-for-containers#Stacking-Kernel-Requirements)
* [Authority to create an apparmor policy namespace](how-to-setup-a-policy-namespace-for-containers#Authority-to-create-a-policy-namespace)
# snappy
Is not required for snappy. Snappy applications don't load their own policy, snapd does it for them.
@ -19,11 +24,10 @@ need the display lsm set
Lxd already supports creating apparmor child namespaces.
Nesting requirement with user namespaces
# Stacking Kernel Requirements
Caveat: Audit subsystem is not namespaced
# Authority to create a policy namespace
## Authority to create a policy namespace
Depends on apparmor and kernel versions
* kernels up to ??? require capability MAC_ADMIN in the user namespace.
@ -31,6 +35,12 @@ Caveat: Audit subsystem is not namespaced
* kernels ??? add the ability for users to create/admin their own policy.
# Stacking Kernel Requirements
Caveat: Audit subsystem is not namespaced
## Nesting Requirement
if apparmor policy namespaces are used in conjunction with user namespaces. There is a nesting limit.