Update how to setup a policy namespace for containers

2025-08-31 22:35:35 +00:00 · 2019-05-16 21:29:42 +00:00
parent e76e1dac23
commit 2e715c3548
1 changed files with 35 additions and 7 deletions
--- a/how-to-setup-a-policy-namespace-for-containers.md
+++ b/how-to-setup-a-policy-namespace-for-containers.md
@@ -16,6 +16,34 @@ This document is split into sections outlining a how to/example for different co
 ## apparmor host, apparmor container
 ### No host policy on container
 ```
  mkdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
  lsm-exec -l apparmor ; aa-exec -p ":${NS_NAME}:unconfined" -- ${CONTAINER_CMD}
 ```
 and to cleanup after the container has exited
 ```
  rmdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
 ```
 ### Host policy applied to container
 ```
  mkdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
 ```
 to add a bounding stack to the current host policy
  lsm-exec -l apparmor ; aa-exec -p "&:${NS_NAME}:unconfined" -- ${CONTAINER_CMD}
 to specify the host policy and setup the bounding stack
  lsm-exec -l apparmor ; aa-exec -p "${HOST_PROFILE}//&:${NS_NAME}:unconfined" -- ${CONTAINER_CMD}
 and to cleanup after the container has exited
 ```
  rmdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
 ```
 ## apparmor host, smack container
 ## smack host, apparmor container
@@ -64,9 +92,9 @@ The basic descriptions assume the AppArmor userspace is installed on the host, w
 2. [Create an apparmor namespace](how-to-setup-a-policy-namespace-for-containers#creating-an-apparmor-namespace)
 3. [Switch the display LSM and put root container task into the apparmor namespace.](how-to-setup-a-policy-namespace-for-containers#starting-the-container-in-the-policy-namespace)
-   AppArmor 2.x: ```lsm-exec -l apparmor ; aa-exec -p ":$(NS_NAME):unconfined" -- $(CONTAINER_CMD)```
+   AppArmor 2.x: ```lsm-exec -l apparmor ; aa-exec -p ":${NS_NAME}:unconfined" -- ${CONTAINER_CMD}```
-   AppArmor 3.x: ```aa-exec --setlsm -p ":$(NS_NAME):unconfined" -- $(CONTAINER_CMD)```
+   AppArmor 3.x: ```aa-exec --setlsm -p ":${NS_NAME}:unconfined" -- ${CONTAINER_CMD}```
 # Setting up the environment
@@ -310,15 +338,15 @@ have policy on the host) and it has cap mac_admin (root). Then
 you can do
 ```
-  mkdir /sys/kernel/security/apparmor/policy/namespaces/$(NS_NAME)
+  mkdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
 ```
-where $(NS_NAME) is basically limited to alphanum with the first
+where ${NS_NAME} is basically limited to alphanum with the first
 character being alpha. And unfortunately there is no way to auto
 reap apparmor policy namespaces so when your container dies.
 ```
-  rmdir /sys/kernel/security/apparmor/policy/namespaces/$(NS_NAME)
+  rmdir /sys/kernel/security/apparmor/policy/namespaces/${NS_NAME}
 ```
 ## policy
@@ -505,13 +533,13 @@ Note: some applications (eg. LXD, snapd) use AppArmor's lowlevel interfaces dire
   https://gitlab.com/apparmor/apparmor/blob/master/binutils/aa_exec.c
   with basic usage of
-   aa-exec -p ":$(NS_NAME):unconfined" -- bash
+   aa-exec -p ":${NS_NAME}:unconfined" -- bash
   where again you can replace bash
   Alternately you can skip aa-exec by writing
-      "exec :$(NS_NAME):unconfined" to /proc/self/attr/exec
+      "exec :${NS_NAME}:unconfined" to /proc/self/attr/exec
   The profile transition to the new namespace will happen at the next
   exec and that task and its children will inherit confinement in