-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update apparmor profile to support v4.0.0 #2004
Update apparmor profile to support v4.0.0 #2004
Conversation
b924b9d
to
20e81c3
Compare
Ephemeral COPR build failed. @containers/packit-build please check. |
@@ -21,6 +21,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { | |||
# Allow signals from privileged profiles and from within the same profile | |||
signal (receive) peer=unconfined, | |||
signal (send,receive) peer={{.Name}}, | |||
# Allow certain signals from OCI runtimes (podman, runc and crun) | |||
signal (receive) peer={/usr/bin/,/usr/sbin/,}runc, | |||
signal (receive) peer={/usr/bin/,/usr/sbin/,}crun, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this support globs?
signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's an "AppArmor Regular Expression" which is a glob with knobs on
File resources and other parameters accepting an AARE may be specified with a globbing syntax similar to that used by popular shells, such as [csh(1)](https://man.archlinux.org/man/csh.1.en), [bash(1)](https://man.archlinux.org/man/bash.1.en), [zsh(1)](https://man.archlinux.org/man/zsh.1.en).
*
can substitute for any number of characters, excepting '/'
**
can substitute for any number of characters, including '/'
?
can substitute for any single character excepting '/'
[abc]
will substitute for the single character a, b, or c
[a-c]
will substitute for the single character a, b, or c
[^a-c]
will substitute for any single character not matching a, b or c
{ab,cd}
will expand to one rule to match ab, one rule to match cd
Can also include variables.
@{variable}
will expand to all values assigned to the given variable.
When AppArmor looks up a directory the pathname being looked up will end with a slash (e.g., /var/tmp/); otherwise it will not end with a slash. Only rules that match a trailing slash will match directories. Some examples, none matching the /tmp/ directory itself, are:
/tmp/*
Files directly in /tmp.
/tmp/*/
Directories directly in /tmp.
/tmp/**
Files and directories anywhere underneath /tmp.
/tmp/**/
Directories anywhere underneath /tmp.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok change the crun to allow for crun-wasm, crun-qm and other future OCI Runtimes based off of crun.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's done.
LGTM, one small question. |
AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers. This commit extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profiles. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman. Signals from podman itself are restricted to the common interrupt and termination signals. Closes containers#1898 [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 Signed-off-by: Neil Wilson <neil@aldur.co.uk>
20e81c3
to
1aedc12
Compare
# Allow certain signals from OCI runtimes (podman, runc and crun) | ||
signal (receive) peer={/usr/bin/,/usr/sbin/,}runc, | ||
signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*, | ||
signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
podman uses kill(pid,0) to check if the process is still alive, would that get blocked by this list?
Is there any practical reason to limit podman to certain signals?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The permission to check a pid is given in the imported abstractions/base
along with the permissions to self-signal and receive unconfined processes
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow us to signal ourselves
signal peer=@{profile_name},
# Checking for PID existence is quite common so add it by default for now
signal (receive, send) set=("exists"),
The two lines that already appear in the linux_template are really superfluous as they are handled by abstractions/base
and have been since apparmor 2.9 which introduced signal filtering a decade or more ago.
The reason for filtering signals is the same reason for denying access to anything via apparmor - defence against error and compromise. SIGSTOP to conmon
for example. The conmon
code appears to use default dispositions for most signals. Arguably SIGQUIT could be removed from the list to avoid a Core default disposition (does anything allow core dumps any more?).
I couldn't tell from testing (or the podman code) what signals podman expects to send. I just got a DENIED error in the logs. I plumped for a standard set and that seemed to do the trick.
May 14 11:14:41 srv-omzr6 kernel: audit: type=1400 audit(1715685281.392:118): apparmor="DENIED" operation="signal" class="signal" profile="containers-default-0.57.4" pid=7458 comm="conmon" requested_mask="receive" denied_mask="receive" signal=term peer="podman"
If you have the actual signals podman
intends to send, then we can limit to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason for filtering signals is the same reason for denying access to anything via apparmor - defence against error and compromise. SIGSTOP to conmon for example. The conmon code appears to use default dispositions for most signals. Arguably SIGQUIT could be removed from the list to avoid a Core default disposition (does anything allow core dumps any more?).
Sure but I don't see how anyone can expect a container to be safe in case of a podman compromise. Blocking certain signals for security seems pointless. As a user you can run podman kill
to send any signal, sure that is funnelled through the oci runtime (crun,runc) and you have to allow everything there anyway. Because nothing can prevent a compromised from calling the oci runtime preventing podman from sending a certain signal does not add any security IMO.
I don't think we send any other signals today but I cannot be sure about that. But if it changes in the future the profiles will not allow it causing unnecessary bugs. And no maintainer will remember to edit the apparmor profile until a bug will be reported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the usual debate about whether to be open to all (the standard unix approach) or be locked down (which is what selinux and apparmor add in).
I can't really help with that. It's a philosophical point for the podman project to decide. I don't know in detail what conmon is there to do and whether it requires signal filtering.
All I want is for my database containers to stop failing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah fair enough, the current profile doesn't work at all and this fixes the problems we are seeing today so I am ok merging it as is. If we start sending other signals we fail again but it is unlikely enough that I can live with such possibilities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, NeilW The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
b643760
into
containers:main
git clean -xdf go mod download go mod vendor tar zcvf ../containers-common_0.58.3.orig.tar.gz --exclude=.git . debuild -uc -us cp containers-common.spec ../containers-common_0.58.3-1.spec cp ../containers-common*0.58.3*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-common-0.58.3/ rm -rf ../containers-common*0.58.3*.* See https://github.com/containers/image/blob/main/registries.conf See containers#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.30.1.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.1-1.spec cp ../cri-o*1.30.1*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.1/ rm -rf ../cri-o*1.30.1*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.29.4.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.4-1.spec cp ../cri-o*1.29.4*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.4/ rm -rf ../cri-o*1.29.4*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.28.6.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.6-1.spec cp ../cri-o*1.28.6*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.6/ rm -rf ../cri-o*1.28.6*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.27.6.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.27.6-1.spec cp ../cri-o*1.27.6*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.27.6/ rm -rf ../cri-o*1.27.6*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../buildah_1.35.4.orig.tar.gz --exclude=.git . debuild -uc -us cp buildah.spec ../buildah_1.35.4-1.spec cp ../buildah*1.35.4*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-buildah-1.35.4/ rm -rf ../buildah*1.35.4* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../podman_5.0.3.orig.tar.gz --exclude=.git . debuild -uc -us cp podman.spec ../podman_5.0.3-1.spec cp ../podman*5.0.3*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-podman-5.0.3/ rm -rf ../podman*5.0.3*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../buildah_1.36.0.orig.tar.gz --exclude=.git . debuild -uc -us cp buildah.spec ../buildah_1.36.0-1.spec cp ../buildah*1.36.0*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-buildah-1.36.0/ rm -rf ../buildah*1.36.0* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
This reverts commit 184051f.
This reverts commit 6a8ba60.
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.27.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.27.7-1.spec cp ../cri-o*1.27.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.27.7/ rm -rf ../cri-o*1.27.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor curl -skL https://github.com/containers/common/pull/2004.patch | patch -p1 -d ./vendor/github.com/containers/common tar zcvf ../cri-o_1.27.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.27.7-1.spec cp ../cri-o*1.27.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.27.7/ rm -rf ../cri-o*1.27.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.27.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.27.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.27.7/ cp ../cri-o*1.27.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.27.7/ rm -rf ../cri-o*1.27.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.28.9.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.9-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.9/ cp ../cri-o*1.28.9*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.9/ rm -rf ../cri-o*1.28.9*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.29.5.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.5-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.5/ cp ../cri-o*1.29.5*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.5/ rm -rf ../cri-o*1.29.5*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.29.6.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.6-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.6/ cp ../cri-o*1.29.6*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.6/ rm -rf ../cri-o*1.29.6*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.29.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.7/ cp ../cri-o*1.29.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.7/ rm -rf ../cri-o*1.29.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.30.2.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.2-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.2/ cp ../cri-o*1.30.2*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.2/ rm -rf ../cri-o*1.30.2*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.30.3.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.3-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.3/ cp ../cri-o*1.30.3*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.3/ rm -rf ../cri-o*1.30.3*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.30.4.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.4-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.4/ cp ../cri-o*1.30.4*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.4/ rm -rf ../cri-o*1.30.4*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.31.0.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.31.0-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.31.0/ cp ../cri-o*1.31.0*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.31.0/ rm -rf ../cri-o*1.31.0*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go mod download go mod vendor tar zcvf ../cri-o_1.31.0.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.31.0-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.31.0/ cp ../cri-o*1.31.0*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.31.0/ rm -rf ../cri-o*1.31.0*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.4.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.4-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.4/ cp ../cri-o*1.30.4*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.4/ rm -rf ../cri-o*1.30.4*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.3.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.3-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.3/ cp ../cri-o*1.30.3*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.3/ rm -rf ../cri-o*1.30.3*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.2.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.2-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.2/ cp ../cri-o*1.30.2*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.2/ rm -rf ../cri-o*1.30.2*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.7/ cp ../cri-o*1.29.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.7/ rm -rf ../cri-o*1.29.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.6.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.6-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.6/ cp ../cri-o*1.29.6*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.6/ rm -rf ../cri-o*1.29.6*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.5.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.5-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.5/ cp ../cri-o*1.29.5*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.5/ rm -rf ../cri-o*1.29.5*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.7/ cp ../cri-o*1.28.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.7/ rm -rf ../cri-o*1.28.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.8.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.8-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.8/ cp ../cri-o*1.28.8*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.8/ rm -rf ../cri-o*1.28.8*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.9.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.9-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.9/ cp ../cri-o*1.28.9*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.9/ rm -rf ../cri-o*1.28.9*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.4.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.4-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.4/ cp ../cri-o*1.30.4*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.4/ rm -rf ../cri-o*1.30.4*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.3.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.3-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.3/ cp ../cri-o*1.30.3*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.3/ rm -rf ../cri-o*1.30.3*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.2.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.2-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.2/ cp ../cri-o*1.30.2*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.2/ rm -rf ../cri-o*1.30.2*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.7/ cp ../cri-o*1.29.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.7/ rm -rf ../cri-o*1.29.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.6.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.6-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.6/ cp ../cri-o*1.29.6*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.6/ rm -rf ../cri-o*1.29.6*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.5.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.5-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.5/ cp ../cri-o*1.29.5*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.5/ rm -rf ../cri-o*1.29.5*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.9.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.9-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.9/ cp ../cri-o*1.28.9*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.9/ rm -rf ../cri-o*1.28.9*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.8.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.8-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.8/ cp ../cri-o*1.28.8*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.8/ rm -rf ../cri-o*1.28.8*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.7.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.7-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.7/ cp ../cri-o*1.28.7*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.7/ rm -rf ../cri-o*1.28.7*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go get github.com/containers/image/v5@v5.29.1-0.20240528081619-b99fb79fee83 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.28.10.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.28.10-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.28.10/ cp ../cri-o*1.28.10*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.28.10/ rm -rf ../cri-o*1.28.10*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.29.8.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.29.8-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.29.8/ cp ../cri-o*1.29.8*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.29.8/ rm -rf ../cri-o*1.29.8*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf go get capnproto.org/go/capnp/v3@v3.0.1-alpha.2 go mod tidy go mod download go mod vendor tar zcvf ../cri-o_1.30.5.orig.tar.gz --exclude=.git . debuild -uc -us cp cri-o.spec ../cri-o_1.30.5-1.spec cp debian/patches/*.patch /osc/home\:alvistack/cri-o-cri-o-1.30.5/ cp ../cri-o*1.30.5*.{gz,xz,spec,dsc} /osc/home\:alvistack/cri-o-cri-o-1.30.5/ rm -rf ../cri-o*1.30.5*.* See containers/common#2004 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers.
This commit extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profile. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load.
The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman.
Signals from podman itself are restricted to the common interrupt and termination signals.
Closes #1898
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936