[lxc-devel] [lxc/master] apparmor: account for specified rootfs path (closes #2617)
CameronNemo on Github
lxc-bot at linuxcontainers.org
Tue Sep 18 01:38:48 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 355 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180918/c9911d4f/attachment.bin>
-------------- next part --------------
From 9b23db33006413ea342061a85c650bbe475f3596 Mon Sep 17 00:00:00 2001
From: Cameron Nemo <camerontnorman at gmail.com>
Date: Mon, 17 Sep 2018 18:37:57 -0700
Subject: [PATCH] apparmor: account for specified rootfs path (closes #2617)
Signed-off-by: Cameron Nemo <camerontnorman at gmail.com>
---
.gitignore | 1 +
.../abstractions/{start-container => start-container.in} | 2 ++
configure.ac | 7 ++++---
3 files changed, 7 insertions(+), 3 deletions(-)
rename config/apparmor/abstractions/{start-container => start-container.in} (95%)
diff --git a/.gitignore b/.gitignore
index 0d266c200..45377714c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -111,6 +111,7 @@ config/ltmain.sh
config/missing
config/libtool.m4
config/lt*.m4
+config/apparmor/abstractions/start-container
config/bash/lxc
config/init/common/lxc-containers
config/init/common/lxc-net
diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container.in
similarity index 95%
rename from config/apparmor/abstractions/start-container
rename to config/apparmor/abstractions/start-container.in
index 3df9883e3..f2b48235d 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container.in
@@ -11,6 +11,7 @@
# currently blocked by apparmor bug
mount -> /usr/lib*/*/lxc/{**,},
mount -> /usr/lib*/lxc/{**,},
+ mount -> @LXCROOTFSMOUNT@/{,**},
mount fstype=devpts -> /dev/pts/,
mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=bind /dev/pts/** -> /dev/**,
@@ -38,6 +39,7 @@
pivot_root /usr/lib*/*/lxc/,
pivot_root /usr/lib*/lxc/**,
pivot_root /usr/lib*/*/lxc/**,
+ pivot_root @LXCROOTFSMOUNT@/{,**},
change_profile -> lxc-*,
change_profile -> lxc-**,
diff --git a/configure.ac b/configure.ac
index 92d6601d7..ba44770dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -202,9 +202,9 @@ AC_ARG_ENABLE([doc],
if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
db2xman=""
- dbparsers="docbook2X2man docbook2x-man db2x_docbook2man docbook2man docbook-to-man"
+ dbparsers="docbook2X2man docbook2man db2x_docbook2man docbook2man docbook-to-man"
- AC_MSG_CHECKING(for docbook2x-man)
+ AC_MSG_CHECKING(for docbook2man)
for name in ${dbparsers}; do
if "$name" --help >/dev/null 2>&1; then
db2xman="$name"
@@ -218,7 +218,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then
else
AC_MSG_RESULT([no])
if test "x$enable_doc" = "xyes"; then
- AC_MSG_ERROR([docbook2x-man is required, but could not be found])
+ AC_MSG_ERROR([docbook2man is required, but could not be found])
fi
enable_doc="no"
fi
@@ -714,6 +714,7 @@ AC_CONFIG_FILES([
config/Makefile
config/apparmor/Makefile
+ config/apparmor/abstractions/start-container
config/selinux/Makefile
config/bash/Makefile
config/bash/lxc
More information about the lxc-devel
mailing list