[lxc-devel] [lxc/lxc] dc8114: apparmor: don't allow mounting cgroupfs by default

GitHub noreply at github.com
Tue Apr 1 17:49:50 UTC 2014 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: dc8114afd77801851c020fb49b81bb1bc7de0923
      https://github.com/lxc/lxc/commit/dc8114afd77801851c020fb49b81bb1bc7de0923
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-04-01 (Tue, 01 Apr 2014)

  Changed paths:
    M config/apparmor/profiles/lxc-default-with-nesting

  Log Message:
  -----------
  apparmor: don't allow mounting cgroupfs by default

Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 198b363fff1de9afcee2f26b9aa847316f589afe
      https://github.com/lxc/lxc/commit/198b363fff1de9afcee2f26b9aa847316f589afe
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-04-01 (Tue, 01 Apr 2014)

  Changed paths:
    M .gitignore
    M config/apparmor/Makefile.am
    A config/apparmor/README
    M config/apparmor/abstractions/container-base
    A config/apparmor/abstractions/container-base.in
    A config/apparmor/container-rules
    A config/apparmor/container-rules.base
    A config/apparmor/lxc-generate-aa-rules.py
    M src/tests/Makefile.am
    A src/tests/aa.c

  Log Message:
  -----------
  apparmor: auto-generate the blacklist rules

This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.

Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.

With this policy, libvirt in a container is able to start its
default network, which previously it could not.

v2: address feedback from stgraber
	  put lxc-generate-aa-rules.py into EXTRA_DIST
	  add lxc-test-apparmor, container-base and container-rules to .gitignore
	  take lxc-test-apparmor out of EXTRA_DIST
	  make lxc-generate-aa-rules.py pep8-compliant
	  don't automatically generate apparmor rules
	  This is only bc we can't be guaranteed that python3 will be
	  available.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/e6ee584a15ce...198b363fff1d

More information about the lxc-devel mailing list