Profile Entry for operation="change_onexec"
Bug #1997374 reported by
Shaheena Kazi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
Hello,
I have created a profile for containers on my Debian environment.
I am getting the below denial in /var/log/syslog
Nov 22 09:43:28 microk8s-32 kernel: audit: type=1400 audit(166911020
I just wanted to know what should be entry that needs to be added in the profile=
- Shaheena K
Changed in apparmor: | |
assignee: | nobody → John Johansen (jjohansen) |
To post a comment you must log in.
You will need two rules, a change_profile rule and a follow on exec rule. Unfortunately the full information needed is not available at this point. So you can do
change_profile /** -> docker_default,
which will allow change_onexec from an executable, that is the /** part, to the docker-default profile.
The change_profile will not happen immediately but will be delayed until the exec and rechecked at that time, to make sure it is still allowed and the change_profile is being applied to the correct binary, in this case any exec will work.
You can tighten up the rule by changing the /** to the executable used in the following exec.