Merge pull request #9 from moby/apparmor_tweak_description

thaJeztah · web-flow · commit 935f56cec625 · 2026-02-19T14:41:10.000+01:00
apparmor: sync ptrace rule formatting and comment with containerd
diff --git a/apparmor/template.go b/apparmor/template.go
@@ -65,7 +65,8 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   deny /sys/devices/virtual/powercap/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
-  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
-  ptrace (trace,read,tracedby,readby) peer={{.Name}},
+  # allow processes within the container to trace each other,
+  # provided all other LSM and yama setting allow it.
+  ptrace (trace,tracedby,read,readby) peer={{.Name}},
 }
 `

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,8 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {`
`65`	`65`	`deny /sys/devices/virtual/powercap/** rwklx,`
`66`	`66`	`deny /sys/kernel/security/** rwklx,`
`67`	`67`
`68`		`- # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container`
`69`		`- ptrace (trace,read,tracedby,readby) peer={{.Name}},`
	`68`	`+ # allow processes within the container to trace each other,`
	`69`	`+ # provided all other LSM and yama setting allow it.`
	`70`	`+ ptrace (trace,tracedby,read,readby) peer={{.Name}},`
`70`	`71`	`}`
`71`	`72`	`