fix: adjust the globing and abi rules in the apparmor profile #60
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MoisesGSalas
force-pushed
the
mgs/fix-profile
branch
from
9a1ec36 to
cf13e3e
Compare
jfavellar90
reviewed
Nov 26, 2024
jfavellar90
approved these changes
Nov 26, 2024
Newer versions of ubuntu (>24.04) do not pin the AppArmor Policy feature ABI which causes certain rules to not be enforced. We include an abi rule to use the relatively common 3.0 policy whenever it's available in the system, if it's not available we rely on the default fallback behaviour. The 3.0 policy should be present on any system using AppArmor>3.x (e.g. Ubuntu 22.04 or newer). The globbing rules in the profile were adjusted to cover a larger range of python versions and avoid creating new profiles for different versions of python used by the sandbox environment. To load the profile we need at least AppArmor 3.0, to avoid confusion in the future we pin the alpine base image and define a proper tag for the apparmorloader image.
MoisesGSalas
force-pushed
the
mgs/fix-profile
branch
from
cf13e3e to
7d74449
Compare
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Newer versions of ubuntu (>24.04) do not pin the AppArmor Policy feature ABI which causes certain rules to not be enforced. We include an abi rule to use the relatively common 3.0 policy whenever it's available in the system, if it's not available we rely on the default fallback behaviour. The 3.0 policy should be present on any system using AppArmor>3.x (e.g. Ubuntu 22.04 or newer).
The globbing rules in the profile were adjusted to cover a larger range of python versions and avoid creating new profiles for different versions of python used by the sandbox environment.
To load the profile we need at least AppArmor 3.0, to avoid confusion in the future we pin the alpine base image and define a proper tag for the apparmorloader image.