mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update how to setup a policy namespace for containers

John Johansen 2019-05-02 16:58:13 +00:00
parent f5cf417b0c
commit 751e52af0c
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
how-to-setup-a-policy-namespace-for-containers.md

@ -22,9 +22,14 @@ Nesting requirement with user namespaces
# Stacking Kernel Requirements
Caveat: Audit subsystem is not namespaced
##
* Authority to create a policy namespace and
## Authority to create a policy namespace
* kernels up to ??? require capability MAC_ADMIN in the user namespace.
* kernels ??? relax this to apparmor policy admin capable due to interaction with other LSMs mediating capability MAC_ADMIN for control of their own policy. IF unconfined apparmor policy admin capable may require cap MAC_ADMIN depending on how the current policy namespace is configured.
* kernels ??? add the ability for users to create/admin their own policy.
## Nesting Requirement