diff --git a/apparmor/template.go b/apparmor/template.go index 201bb71..4694a6c 100644 --- a/apparmor/template.go +++ b/apparmor/template.go @@ -32,6 +32,8 @@ profile "{{.Name}}" flags=(attach_disconnected,mediate_deleted) { {{- end}}{{if .InnerImports}} {{end}} network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/default.golden b/apparmor/testdata/default.golden index b029d28..ad47f53 100644 --- a/apparmor/testdata/default.golden +++ b/apparmor/testdata/default.golden @@ -5,6 +5,8 @@ profile "default" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-abstractions-base.golden b/apparmor/testdata/with-abstractions-base.golden index e4e355b..af1f617 100644 --- a/apparmor/testdata/with-abstractions-base.golden +++ b/apparmor/testdata/with-abstractions-base.golden @@ -7,6 +7,8 @@ profile "abstractions-base" flags=(attach_disconnected,mediate_deleted) { #include network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-api3.golden b/apparmor/testdata/with-api3.golden index a796392..66a59a6 100644 --- a/apparmor/testdata/with-api3.golden +++ b/apparmor/testdata/with-api3.golden @@ -5,6 +5,8 @@ abi , profile "with-api3" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-custom-imports.golden b/apparmor/testdata/with-custom-imports.golden index 46a200b..23f35e5 100644 --- a/apparmor/testdata/with-custom-imports.golden +++ b/apparmor/testdata/with-custom-imports.golden @@ -7,6 +7,8 @@ profile "custom-imports" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-custom-inner-imports.golden b/apparmor/testdata/with-custom-inner-imports.golden index ec1d975..4fa5c9a 100644 --- a/apparmor/testdata/with-custom-inner-imports.golden +++ b/apparmor/testdata/with-custom-inner-imports.golden @@ -8,6 +8,8 @@ profile "custom-inner-imports" flags=(attach_disconnected,mediate_deleted) { #include network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-daemon-profile.golden b/apparmor/testdata/with-daemon-profile.golden index f1fb4a5..a4c7a09 100644 --- a/apparmor/testdata/with-daemon-profile.golden +++ b/apparmor/testdata/with-daemon-profile.golden @@ -5,6 +5,8 @@ profile "with-daemon-profile" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-spaces.golden b/apparmor/testdata/with-spaces.golden index 73298eb..0d164cf 100644 --- a/apparmor/testdata/with-spaces.golden +++ b/apparmor/testdata/with-spaces.golden @@ -5,6 +5,8 @@ profile "Profile with spaces" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount, diff --git a/apparmor/testdata/with-tunables.golden b/apparmor/testdata/with-tunables.golden index ad17c21..bb862e9 100644 --- a/apparmor/testdata/with-tunables.golden +++ b/apparmor/testdata/with-tunables.golden @@ -5,6 +5,8 @@ profile "tunables" flags=(attach_disconnected,mediate_deleted) { network, + # Disallow AF_ALG (Linux kernel crypto API); see https://copy.fail/ + deny network alg, capability, file, umount,