Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be set only when the corresponding profile exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, what about youki, gvisor, kata, etc ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will update the template to check for known profiles.
These currently don't have any default profiles, see https://gitlab.com/apparmor/apparmor/-/tree/master/profiles/apparmor.d.
I don't know much about gVisor and kata runtimes, but I think those run containers in virtual machines, so their
kill
shouldn't involve sending signals (to container processes).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AkihiroSuda What is the deadline for this change to be approved and merged to make it into v1.7.16?
I'm not sure what method would you recommend to conditionally add the signal receive rules. I can think of 4 ways:
macroExists(profile)
to check if/etc/apparmor.d/$profile
exists for each profile in a hardcoded list of OCI runtime profiles known to exist in latest AppArmorisLoaded(profile)
to check if the profile is loaded for each profile as above.parseVersion
that was removed here contrib/apparmor: remove code related to apparmor_parser version #8069 and conditionally add profiles based on known OCI runtime profiles in the parsed AppArmor version.Which option would you go with or do you know of a better way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can confirm that
signal (receive) peer=crun,
does not cause an error when thecrun
profile is missing, I think we can just leave it as is and call it for a day.If it causes an error, checking
/etc/apparmor.d/$profile
seems goodThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can call it a day ;-) - the rule will just sit there and do nothing if the
crun
profile doesn't exist.