Merge pull request #7714 from hoyosjs/patch-1

Add ptrace readby and tracedby to default AppArmor profile
2022-11-28 22:32:59 +08:00 · 2022-11-28 22:32:59 +08:00 · 4b8002e5d1
commit 4b8002e5d1
parent 6bfe6e38b2 8d868dadb7
1 changed files with 3 additions and 1 deletions
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@ -84,7 +84,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  deny /sys/kernel/security/** rwklx,

 {{if ge .Version 208095}}
-  ptrace (trace,read) peer={{.Name}},
+  # allow processes within the container to trace each other,
+  # provided all other LSM and yama setting allow it.
+  ptrace (trace,tracedby,read,readby) peer={{.Name}},
 {{end}}
 }
 `