From 8d868dadb746aabfd3583d834510109afe9b1919 Mon Sep 17 00:00:00 2001
From: Juan Hoyos <juan.s.hoyos@outlook.com>
Date: Wed, 23 Nov 2022 15:01:32 -0500
Subject: [PATCH] Add ptrace readby and tracedby to default AppArmor profile

Fixes https://github.com/containerd/containerd/issues/7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks.

Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
---
 contrib/apparmor/template.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 7544db749..c0b0e542e 100644
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -84,7 +84,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/kernel/security/** rwklx,
 
 {{if ge .Version 208095}}
-  ptrace (trace,read) peer={{.Name}},
+  # allow processes within the container to trace each other,
+  # provided all other LSM and yama setting allow it.
+  ptrace (trace,tracedby,read,readby) peer={{.Name}},
 {{end}}
 }
 `