github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add ptrace readby and tracedby to default AppArmor profile

Browse Source 
Fixes https://github.com/containerd/containerd/issues/7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks.

Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com>
This commit is contained in:
Juan Hoyos
2022-11-23 15:01:32 -05:00
committed by GitHub
parent d063186221
commit 8d868dadb7
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/apparmor/template.go
View File

@@ -84,7 +84,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/kernel/security/** rwklx, deny /sys/kernel/security/** rwklx,
{{if ge .Version 208095}} {{if ge .Version 208095}}
ptrace (trace,read) peer={{.Name}}, # allow processes within the container to trace each other,
# provided all other LSM and yama setting allow it.
ptrace (trace,tracedby,read,readby) peer={{.Name}},
{{end}} {{end}}
} }
` `