diff --git a/README.md b/README.md index ff10559..c19b73e 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ AppArmor is a Mandatory Access Control Linux security module that can be used to It is much more secure than Docker and I recommend using AppArmor instead of Docker for isolation, mainly because: - Docker is not designed for security but for convenience. -- Docker only creates a new namespace but do not actually police the actions of the task. +- Docker only creates a new namespace but do not actually police the actions of the task and will expose much more kernel interfaces to the task. - There is no dynamic privilege reduction in Docker, so if the image parsing is compromised at the very least your whole container is compromised. - AFAIK there are no known bypasses for AppArmor, but there are known bypasses for Docker. diff --git a/mac/apparmor/yumechi-no-kuni-proxy-worker b/mac/apparmor/yumechi-no-kuni-proxy-worker index f4e7516..186c712 100644 --- a/mac/apparmor/yumechi-no-kuni-proxy-worker +++ b/mac/apparmor/yumechi-no-kuni-proxy-worker @@ -72,7 +72,7 @@ profile yumechi-no-kuni-proxy-worker @{prog_path} { deny network (bind) udp, /{,usr/}{,local/}{,s}bin/@{prog} ixr, - owner /var/lib/@{prog}/{,bin}/@{prog} ixr, + owner /var/lib/@{prog}/{,bin/}@{prog} ixr, signal (send, receive) set=int,term,kill peer=yume-proxy-workers//serve, signal (send) set=int,term,kill,usr1 peer=yume-proxy-workers//serve//image, diff --git a/src/lib.rs b/src/lib.rs index ad6c5c5..1f960a5 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -822,10 +822,10 @@ pub struct App { } #[cfg(feature = "env-local")] -/// Register cancel handler for threads that has ran away for some reason +/// Register cancel handler for threads that has ran away for some reason and multiple dirty terminations has occurred /// /// This should only happen when some kind of malformed input is happening that causes the image parser to hang -/// without triggering the resource limits. +/// without triggering the resource limits, as a last resort. #[allow(unsafe_code)] pub fn register_cancel_handler() { static STRIKES: AtomicU64 = AtomicU64::new(0);