From 20b10481fde4564b589dcd72a3d91b2d19f7bf86 Mon Sep 17 00:00:00 2001
From: Joshua Powers <powersj@fastmail.com>
Date: Fri, 29 Sep 2023 04:20:45 -0600
Subject: [PATCH] docs(apparmor): Add page explaining apparmor denials (#14014)

---
 docs/APPARMOR.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 docs/APPARMOR.md

diff --git a/docs/APPARMOR.md b/docs/APPARMOR.md
new file mode 100644
index 000000000..6fc7f68d6
--- /dev/null
+++ b/docs/APPARMOR.md
@@ -0,0 +1,26 @@
+# AppArmor
+
+When running Telegraf under AppArmor users may see denial messages depending on
+the Telegraf plugins used and the AppArmor profile applied. Telegraf does not
+have control over the AppArmor profiles used. If users wish to address denials,
+then they must understand the collections made by their choice of Telegraf
+plugins, the denial messages, and the impact of changes to their AppArmor
+profiles.
+
+## Example Denial
+
+For example, users might see denial messages such as:
+
+```s
+type=AVC msg=audit(1588901740.036:2457789): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9030 comm="telegraf" requested_mask="read" denied_mask="read" peer="unconfined"
+```
+
+In this case, Telegraf will also need the ability to ptrace(read). User's will
+first need to analyze the denial message for the operation and requested mask.
+Then consider if the required changes make sense. There may be additional
+denials even after initial changes.
+
+For more details around AppArmor settings and configuration, users can check out
+the `man 5 apparmor.d` man page on their system or the [AppArmor wiki][wiki].
+
+[wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/home