CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs(apparmor): Add page explaining apparmor denials (#14014)

This commit is contained in:
Joshua Powers 2023-09-29 04:20:45 -06:00 committed by GitHub
parent 0deb3d5047
commit 20b10481fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/APPARMOR.md Normal file
View File

@ -0,0 +1,26 @@
# AppArmor
When running Telegraf under AppArmor users may see denial messages depending on
the Telegraf plugins used and the AppArmor profile applied. Telegraf does not
have control over the AppArmor profiles used. If users wish to address denials,
then they must understand the collections made by their choice of Telegraf
plugins, the denial messages, and the impact of changes to their AppArmor
profiles.
## Example Denial
For example, users might see denial messages such as:
```s
type=AVC msg=audit(1588901740.036:2457789): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9030 comm="telegraf" requested_mask="read" denied_mask="read" peer="unconfined"
```
In this case, Telegraf will also need the ability to ptrace(read). User's will
first need to analyze the denial message for the operation and requested mask.
Then consider if the required changes make sense. There may be additional
denials even after initial changes.
For more details around AppArmor settings and configuration, users can check out
the `man 5 apparmor.d` man page on their system or the [AppArmor wiki][wiki].
[wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/home