http://bugzilla.opensuse.org/show_bug.cgi?id=1123387
http://bugzilla.opensuse.org/show_bug.cgi?id=1123387#c3
Christian Boltz changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |suse-beta@cboltz.de
--- Comment #3 from Christian Boltz ---
Indeed, that clearly looks like AppArmor (at least apparmor_parser) is
required.
However, note that the profile isn't too useful. It seems to be generated here:
https://github.com/containers/libpod/blob/b01ec95bda1f0398e62be85aeade70f2e6...
The problem is that it basically allows everything:
network, # full network access
capability, # all capabilities
file, # full permissions for all files
umount, # umount any filesystem
(I didn't check what Imports and InnerImports contain - with the above profile,
it's a lost game already, so a few more rules don't matter too much.)
Yes, I've seen that there are a few deny rules, but it would be a *very* good
idea to make the profile much more restrictive (= whitelist-based). I mean,
it's auto-generated, so podman should for example know _which files_ need to be
accessed instead of allowing access to everything.
BTW: This profile reminds me to the profile used by docker (maybe it was even
stolen there?), which has a similar level of "security" :-/
--
You are receiving this mail because:
You are on the CC list for the bug.