Skip to content

Comments

apparmor: sync ptrace rule formatting and comment with containerd#9

Merged
thaJeztah merged 1 commit intomainfrom
apparmor_tweak_description
Feb 19, 2026
Merged

apparmor: sync ptrace rule formatting and comment with containerd#9
thaJeztah merged 1 commit intomainfrom
apparmor_tweak_description

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Feb 16, 2026

Use the same formatting and comment as used by the containerd fork for easier comparing the profiles. Using the formatting from containerd@8d868da.

Add ptrace readby and tracedby to default AppArmor profile

The default profile allows processes within the container to trace others,
but blocks reads/traces. This means that diagnostic facilities in processes
can't easily collect crash/hang dumps. A usual workflow used by solutions
like crashpad and similar projects is that the process that's unresponsive
will spawn a process to collect diagnostic data using ptrace. seccomp-bpf,
yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms
to reduce the scopes in which the API can be used. This enables reading from
/proc/* files provided the tracer process passes all other checks.

@thaJeztah
apparmor: sync ptrace rule formatting and comment with containerd
2a79466 
Use the same formatting and comment as used by the containerd fork for
easier comparing the profiles. Using the formatting from [containerd@8d868da].

> Add ptrace readby and tracedby to default AppArmor profile
>
> The default profile allows processes within the container to trace others,
> but blocks reads/traces. This means that diagnostic facilities in processes
> can't easily collect crash/hang dumps. A usual workflow used by solutions
> like crashpad and similar projects is that the process that's unresponsive
> will spawn a process to collect diagnostic data using ptrace. seccomp-bpf,
> yama ptrace settings, and CAP_SYS_PTRACE already provide security mechanisms
> to reduce the scopes in which the API can be used. This enables reading from
> /proc/* files provided the tracer process passes all other checks.

[containerd@8d868da]: containerd/containerd@8d868da

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah merged commit 935f56c into main Feb 19, 2026
10 checks passed
@thaJeztah thaJeztah deleted the apparmor_tweak_description branch February 19, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvoland vvoland vvoland approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thaJeztah @vvoland