Skip to content

Add support for Seccomp and AppArmor profiles. #3152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dperny merged 1 commit into from
Aug 23, 2023
Merged

Add support for Seccomp and AppArmor profiles. #3152

dperny merged 1 commit into from
Aug 23, 2023

Conversation

@dperny
Copy link
Collaborator

@dperny dperny commented Aug 11, 2023

Adds support for seccomp profiles, AppArmor profiles, and the no-new-privileges security options.

This rounds out the present functionality of the --security-opt flag present for Docker containers.

@codecov-commenter
Copy link

codecov-commenter commented Aug 11, 2023
edited
Loading

Codecov Report

Merging #3152 (5e3d974) into master (1983e41) will increase coverage by 0.11%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3152      +/-   ##
==========================================
+ Coverage   61.67%   61.79%   +0.11%     
==========================================
  Files         155      155              
  Lines       31143    31143              
==========================================
+ Hits        19207    19244      +37     
+ Misses      10389    10346      -43     
- Partials     1547     1553       +6

thaJeztah
thaJeztah reviewed Aug 11, 2023
View reviewed changes
api/types.proto Outdated
Comment on lines 1160 to 1167
// Apparmor is the Apparmor profile to be applied to the container, if any.
// The node running the container must have the profile present.
string apparmor = 3;

// Seccomp is the seccomp profile to be used as a seccomp filter for the
// container, or "unconfined" if none. The profile must be present on the
// node running the container.
string seccomp = 4;
Copy link
Member

@thaJeztah thaJeztah Aug 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps make it explicit; apparmor_profile and seccomp_profile ?

@dperny dperny force-pushed the add-seccomp-apparmor branch from 18645ed to 5e3d974 Compare August 11, 2023 16:44
neersighted
neersighted reviewed Aug 11, 2023
View reviewed changes
api/types.proto Outdated
string seccomp_profile = 4;

// NoNewPrivileges, if set to true, disables the container from gaining new
// privileges.
Copy link
Member

@neersighted neersighted Aug 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might not hurt to link to It might not hurt to link to https://docs.kernel.org/userspace-api/no_new_privs.html here here.

This was referenced Aug 14, 2023
Merged
Merged
@dperny dperny force-pushed the add-seccomp-apparmor branch 2 times, most recently from 60bd24a to a68feeb Compare August 21, 2023 16:31
neersighted
neersighted suggested changes Aug 21, 2023
View reviewed changes
api/types.proto Outdated
}
ApparmorMode mode = 1;
}
ApparmorOpts apparmor = 4;
Copy link
Member

@neersighted neersighted Aug 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(All instances) probably should be AppArmor

api/types.proto
}
SELinuxContext selinux_context = 2 [(gogoproto.customname) = "SELinuxContext"];

message SeccompOpts {
Copy link
Member

@neersighted neersighted Aug 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a doc-comment describing the field, and maybe linking to the Docker seccomp docs

api/types.proto Outdated
}
SeccompOpts seccomp = 3;

message ApparmorOpts {
Copy link
Member

@neersighted neersighted Aug 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto above

@dperny
Add support for seccomp, AppArmor, and no-new-privileges
39ce17a 
Adds support for seccomp profiles, AppArmor profiles, and the
no-new-privileges security options.

This rounds out the present functionality of the --security-opt flag
present for Docker containers.

Signed-off-by: Drew Erny <[email protected]>
@dperny dperny force-pushed the add-seccomp-apparmor branch from a68feeb to 39ce17a Compare August 22, 2023 16:09
neersighted
neersighted approved these changes Aug 22, 2023
View reviewed changes
Copy link
Member

@neersighted neersighted left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, is this ready to come out of draft?

@dperny dperny marked this pull request as ready for review August 23, 2023 15:55
@dperny dperny merged commit 12f0c24 into moby:master Aug 23, 2023
This was referenced Aug 24, 2023
Closed
Closed
@thaJeztah thaJeztah mentioned this pull request Dec 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah left review comments

+1 more reviewer

@neersighted neersighted neersighted approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dperny @codecov-commenter @neersighted @thaJeztah