# Apptainer Execution Control List config file
#
# This file describes execution groups in which SIF files are checked for
# authorized loading/execution. The decision is made by validating both the
# location of the sif file in the file system and by checking against a list of
# signing entities.
#
# *****************************************************************************
# WARNING
#
# The ECL is not effective if unprivileged user namespaces are enabled. It is
# only effectively applied when Apptainer is running using the native runtime
# in setuid mode, and unprivileged container execution is not possible on the
# host.
#
# You must disable unprivileged user namespace creation on the host if you rely
# on the ECL to limit container execution.
#
# The ECL only applies to SIF container images. To block execution of other
# images (e.g. ext3 or sandbox containers), you must also disable them in
# apptainer.conf
#
# See the 'Security' and 'Configuration Files' sections of the Admin Guide for
# more information.
# *****************************************************************************
#
# The current possible list modes are: whitelist, whitestrict and blacklist.
#
# Example:
#
#activated = true
#
#[[execgroup]]
#  tagname = "group1"
#  mode = "whitestrict"
#  dirpath = "/var/cache/containers"
#  keyfp = ["5994BE54C31CF1B5E1994F987C52CF6D055F072B","7064B1D6EFF01B1262FED3F03581D99FE87EAFD1"]
#
#[[execgroup]]
#  tagname = "group2"
#  mode = "whitelist"
#  dirpath = "/tmp/containers"
#  keyfp = ["7064B1D6EFF01B1262FED3F03581D99FE87EAFD1"]
#
# The above example defines 2 execution groups (dirpath: /var/cache/containers
# and /tmp/containers), in which only SIF files signed with both Key IDs
# 055F072B and E87EAFD1 may run if started from /var/cache/containers and only
# SIF files signed with Key ID E87EAFD1 may run if started from /tmp/containers.
#

activated = false