Security fix for AppArmor instructions

containers / dnsname

name resolution for containers

Apache License 2.0

177 stars 47 forks source link

Security fix for AppArmor instructions #84

Closed cboltz closed 3 years ago

cboltz commented 3 years ago

apparmor_parser -R $profile unloads the dnsmasq profile - which also means dnsmasq becomes unconfined (= without AppArmor restrictions).

apparmor_parser $profile loads the profile, but it can't apply it to the already-running dnsmasq, so this instance stays unconfined.

Fix this security issue by using apparmor_parser -r (reload) which keeps running processes confined.

Fixes: https://github.com/containers/dnsname/issues/82

rhatdan commented 3 years ago

Thanks @cboltz You need to sign your commits git commit -a --amend -s git push --force

LGTM

rhatdan commented 3 years ago

/approve @Luap99 PTAL

openshift-ci[bot] commented 3 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cboltz, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/containers/dnsname/blob/main/OWNERS)~~ [rhatdan] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

mheon commented 3 years ago

/lgtm