8d868dadb7
Fixes https://github.com/containerd/containerd/issues/7695. The default profile allows processes within the container to trace others, but blocks reads/traces. This means that diagnostic facilities in processes can't easily collect crash/hang dumps. A usual workflow used by solutions like crashpad and similar projects is that the process that's unresponsive will spawn a process to collect diagnostic data using ptrace. seccomp-bpf, yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms to reduce the scopes in which the API can be used. This enables reading from /proc/* files provided the tracer process passes all other checks. Signed-off-by: Juan Hoyos <juan.s.hoyos@outlook.com> |
||
|---|---|---|
| .. | ||
| apparmor_fuzzer.go | ||
| apparmor_test.go | ||
| apparmor_unsupported.go | ||
| apparmor.go | ||
| template_test.go | ||
| template.go | ||