Skip to content

Commit

Permalink
Change default profile to unconfined; remove CheckProfileAndLoadDefault
Browse files Browse the repository at this point in the history 
Set the default AppArmor profile to unconfined; see the following
issues:

- containers#958
- containers/podman#15874

Based on the discussion there, distros that use AppArmor should supply
their own AppArmor profile and set it in a default containers.conf,
since there is no way to load AppArmor profiles rootlessly.
  • Loading branch information
@kernelmethod
kernelmethod committed Jul 20, 2023
1 parent 4021c5f commit 51000ac
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions pkg/apparmor/apparmor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,19 @@ package apparmor

import (
"errors"

"github.com/containers/common/version"
)

const (
// ProfilePrefix is used for version-independent presence checks.
ProfilePrefix = "containers-default-"

// Profile default name
Profile = ProfilePrefix + version.Version
// Default AppArmor profile used by containers; by default this is set to unconfined.
// To override this, distros should supply their own profile and specify it in a default
// containers.conf.
// See the following issues for more information:
// - https://github.com/containers/common/issues/958
// - https://github.com/containers/podman/issues/15874
Profile = "unconfined"
)

var (
Expand Down

0 comments on commit 51000ac

Please sign in to comment.