docs: Add AppArmor profile to task runner hardening guide#4682
Open
tomi wants to merge 1 commit into
Open
Conversation
its-imad
added
the
author:community
✅ Deploy Preview for n8n-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
No description provided. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 1 file
Architecture diagram
sequenceDiagram
participant Runner as Task Runner Container
participant Kernel as AppArmor LSM
participant ProcFS as /proc Filesystem
participant Audit as Audit Log
Note over Runner,Audit: AppArmor Profile Enforcement Flow
Runner->>Kernel: Request read /proc/[pid]/environ
Kernel->>Kernel: Check AppArmor profile rules
alt Deny rule matches
Kernel->>Audit: Log denied operation
Kernel-->>Runner: Permission denied
else No matching rule
Kernel->>ProcFS: Allow read
ProcFS-->>Runner: Environment variables (secrets)
end
Runner->>Kernel: Request read /proc/[pid]/mounts
Kernel->>Kernel: Check AppArmor profile rules
alt Deny rule matches
Kernel->>Audit: Log denied operation
Kernel-->>Runner: Permission denied
else No matching rule
Kernel->>ProcFS: Allow read
ProcFS-->>Runner: Mount info
end
Note over Runner,Kernel: Defence-in-depth: blocks secret leakage via /proc access at kernel level, before any container or language-level protection
Deploying n8n-docs with
|
| Latest commit: |
30818fc
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://c9160530.n8n-docs-d9c.pages.dev |
| Branch Preview URL: | https://tomi-task-runner-apparmor-pr.n8n-docs-d9c.pages.dev |
RoRoJ
added
author:internal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/procfiles (environ,mounts) that could leak secrets to code running inside the containerTest plan
Summary by cubic
Add an AppArmor section to the task runner hardening guide to block access to sensitive /proc files and reduce secrets exposure. Includes an example rule (
audit deny @{PROC}/[0-9]*/{environ,mounts} rwl,) and links to AppArmor and Kubernetes docs.Written for commit 30818fc. Summary will update on new commits. Review in cubic