[lxc-devel] [lxd/master] Enable stacking for privileged containers
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Apr 5 16:32:19 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170405/2d0ae77c/attachment.bin>
-------------- next part --------------
From feed2a8e76d07a080086d1acf2f9d39f60621e4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 5 Apr 2017 12:24:33 -0400
Subject: [PATCH] Enable stacking for privileged containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/apparmor.go | 10 ++--------
lxd/container_lxc.go | 4 ++--
2 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 89881a8..b11be5b 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -320,12 +320,7 @@ func getAAProfileContent(c container) string {
if aaStacking {
profile += "\n ### Feature: apparmor stacking\n"
-
- if c.IsPrivileged() {
- profile += "\n ### Configuration: apparmor loading disabled in privileged containers\n"
- profile += " deny /sys/k*{,/**} rwklx,\n"
- } else {
- profile += ` ### Configuration: apparmor loading in unprivileged containers
+ profile += ` ### Configuration: apparmor profile loading (in namespace)
deny /sys/k[^e]*{,/**} wklx,
deny /sys/ke[^r]*{,/**} wklx,
deny /sys/ker[^n]*{,/**} wklx,
@@ -351,8 +346,7 @@ func getAAProfileContent(c container) string {
deny /sys/kernel/security?*{,/**} wklx,
deny /sys/kernel?*{,/**} wklx,
`
- profile += fmt.Sprintf(" change_profile -> \":%s://*\",\n", AANamespace(c))
- }
+ profile += fmt.Sprintf(" change_profile -> \":%s://*\",\n", AANamespace(c))
} else {
profile += "\n ### Feature: apparmor stacking (not present)\n"
profile += " deny /sys/k*{,/**} rwklx,\n"
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index df710be..f9666ab 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -718,7 +718,7 @@ func (c *containerLXC) initLXC() error {
// Base config
toDrop := "sys_time sys_module sys_rawio"
- if !aaStacking || c.IsPrivileged() {
+ if !aaStacking {
toDrop = toDrop + " mac_admin mac_override"
}
@@ -937,7 +937,7 @@ func (c *containerLXC) initLXC() error {
* the old way of nesting, i.e. using the parent's
* profile.
*/
- if aaStacking && (!c.IsNesting() || !c.IsPrivileged()) {
+ if aaStacking {
profile = fmt.Sprintf("%s//&:%s:", profile, AANamespace(c))
}
More information about the lxc-devel
mailing list