apparmor: add read permission for executables

kubernetes-sigs · Nov 14, 2024 · 8a27caa · 8a27caa
1 parent b2ff988
commit 8a27caa
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/examples/apparmorprofile-sleep.yaml b/examples/apparmorprofile-sleep.yaml
@@ -6,7 +6,7 @@ policy: |2
 
     # Executable rules
 
-    /bin/busybox ix,
+    /bin/busybox ixr,
 
 
     /lib/ld-musl-x86_64.so.1 mr,

diff --git a/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go b/internal/pkg/daemon/apparmorprofile/crd2armor/crd2armor.go
@@ -32,7 +32,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
 
   # Executable rules
 {{ if ne .Abstract.Executable nil }}{{ if ne .Abstract.Executable.AllowedExecutables nil }}
-{{range $allowed := .Abstract.Executable.AllowedExecutables}}  {{$allowed}} ix,
+{{range $allowed := .Abstract.Executable.AllowedExecutables}}  {{$allowed}} ixr,
 {{end}}{{end}}
 {{ if ne .Abstract.Executable.AllowedLibraries nil }}
 {{range $allowedlib := .Abstract.Executable.AllowedLibraries}}  {{$allowedlib}} mr,