[Bug 1123387] New: podman broken without apparmor_parser
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Bug ID: 1123387
Summary: podman broken without apparmor_parser
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Containers
Assignee: containers-bugowner@suse.de
Reporter: fvogt@suse.com
QA Contact: qa-bugs@suse.de
CC: rbrown@suse.com
Found By: ---
Blocker: ---
Reported in #kubic:
[15:31]
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Thorsten Kukuk
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Flavio Castelli
http://bugzilla.suse.com/show_bug.cgi?id=1123387
http://bugzilla.suse.com/show_bug.cgi?id=1123387#c8
--- Comment #8 from Aleksa Sarai
As an aside, the one thing that makes me distrust AppArmor as being useful as a primary security tool is that when profiles are deleted the constrained processes become unconstrained and there is no way to re-constrain them without hijacking them (with ptrace) to set their own profile again. This is a classic example of "failing-open" and is particularly bad because there is no reasonable way to re-constrain the processes. This happens very often with package upgrades, because the AppArmor tooling deletes all profiles not in /etc/apparmor.d. Do you know if there is any progress to fix this issue?
I just found that this was discussed ~6 years ago in bsc#853019. So this is not really a relevant discussion to bring up again here. :D -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Aleksa Sarai
http://bugzilla.suse.com/show_bug.cgi?id=1123387
lili zhao
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Andreas Hasenkopf
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1123387
http://bugzilla.suse.com/show_bug.cgi?id=1123387#c17
--- Comment #17 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1123387
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1123387
http://bugzilla.suse.com/show_bug.cgi?id=1123387#c18
Flavio Castelli
participants (1)
-
bugzilla_noreply@novell.com