mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-04 00:05:14 +00:00
Code Issues Releases Wiki Activity

Update how to setup a policy namespace for containers

John Johansen
2019-05-10 08:05:11 +00:00
parent 47782bf763
commit 4357271a3f
1 changed files with 35 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
how-to-setup-a-policy-namespace-for-containers.md

@@ -251,48 +251,48 @@ reap apparmor policy namespaces so when your container dies.
???? todo ???? todo
# ??Errors # Failures and Issues
apparmor enabled * Can't create policy ns
- apparmor not enabled
- policy interface not mounted/available
- No authority to manage policy
* Policy fails to load
- apparmor not enabled
- policy interface not mounted/available
- No authority to manage policy
* Can't transition to policy namespace
- check that the policy namespace was successfully created
- check for apparmor denials
- exec
- nnp
- ensure you are using a 4.17+ kernel
- safe exec
- mmap failures
- failure open executable
- denials leading exec to immediately exit
- task being killed
- change_profile failures
* Can't set the display LSM
- checkout that ```/proc/self/attr/display``` exists
- if not you need a kernel with the display LSM patches
- check that the specified LSM exists
- check that you have permission to write ```/proc/self/attr/display```
- check that you are not writing another task's ```/proc/self/attr/display```
- check that if you are using a thread it is writing its own ```/proc/<pid>/attr/display```. Only the lead thread can write to ```/proc/self/attr/display```
AppArmor Enabled
- apparmor built into the kernel - apparmor built into the kernel
- config param set - config param set
- kernel security param set - kernel security param set
can't create policy ns
- apparmor not enabled
- policy interface not mounted/available
- No authority to manage policy
policy fails to load
- apparmor not enabled
- policy interface not mounted/available
- No authority to manage policy
can't transition to policy namespace
- check that the policy namespace was successfully created
- check for apparmor denials
- exec
- nnp
- ensure you are using a 4.17+ kernel
- safe exec
- mmap failures
- failure open executable
- denials leading exec to immediately exit
- task being killed
- change_profile failures
can't set the display ns
- checkout that ```/proc/self/attr/display``` exists
- if not you need a kernel with the display LSM patches
- check that the specified LSM exists
- check that you have permission to write ```/proc/self/attr/display```
- check that you are not writing another task's ```/proc/self/attr/display```
- check that if you are using a thread it is writing its own ```/proc/<pid>/attr/display```. One the lead thread can write to ```/proc/self/attr/display```
policy interface mounted policy interface mounted
no-new-privs (nnp) no-new-privs (nnp)
Tasks can the nnp flag through a prctl which prevents the task and its children from gaining new privileges. The nnp flag can prevent apparmor policy confining the task to transition to a new profile. Tasks can the nnp flag through a prctl which prevents the task and its children from gaining new privileges. The nnp flag can prevent apparmor policy confining the task to transition to a new profile.