在 2021/11/2 上午10:01, Colin Watson 写道: > I have a reproduction recipe that doesn't involve Salsa CI:
Great work! I also reproduction it as your step. > Interestingly, a bullseye VM does *not* exhibit the same issue, which > suggests that it may be possible to track down a change to the kernel, > AppArmor userspace, or Docker that fixed this (I'm guessing as to > plausible packages). I haven't tried that yet since it's 2am here, but > maybe somebody else can run with this. It's new version Docker in bullseye that fixed this. In bullseye, Docker has a docker-default profile for AppArmor[1], but this profile don't exist in buster. In bullseye: dmesg|grep docker-default [ 6.693257] audit: type=1400 audit(1635230451.944:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=640 comm="apparmor_parser" run aa-status command can also list docker-default profile. [1] https://docs.docker.com/engine/security/apparmor/ -- 肖盛文 xiao sheng wen Faris Xiao 微信(wechat):atzlinux 《铜豌豆 Linux》https://www.atzlinux.com 基于 Debian 的 Linux 中文 桌面 操作系统 Debian QA page: https://qa.debian.org/developer.php?login=atzlinux%40sina.com GnuPG Public Key: 0x00186602339240CB
OpenPGP_signature
Description: OpenPGP digital signature
