[lxc-devel] [lxc/lxc] dc8114: apparmor: don't allow mounting cgroupfs by default
GitHub
noreply at github.com
Tue Apr 1 17:49:50 UTC 2014
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: dc8114afd77801851c020fb49b81bb1bc7de0923
https://github.com/lxc/lxc/commit/dc8114afd77801851c020fb49b81bb1bc7de0923
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M config/apparmor/profiles/lxc-default-with-nesting
Log Message:
-----------
apparmor: don't allow mounting cgroupfs by default
Leave the line to do it (commented out) as some users may not be
using cgmanager, and may in fact still need those mounts.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 198b363fff1de9afcee2f26b9aa847316f589afe
https://github.com/lxc/lxc/commit/198b363fff1de9afcee2f26b9aa847316f589afe
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-04-01 (Tue, 01 Apr 2014)
Changed paths:
M .gitignore
M config/apparmor/Makefile.am
A config/apparmor/README
M config/apparmor/abstractions/container-base
A config/apparmor/abstractions/container-base.in
A config/apparmor/container-rules
A config/apparmor/container-rules.base
A config/apparmor/lxc-generate-aa-rules.py
M src/tests/Makefile.am
A src/tests/aa.c
Log Message:
-----------
apparmor: auto-generate the blacklist rules
This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.
Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.
With this policy, libvirt in a container is able to start its
default network, which previously it could not.
v2: address feedback from stgraber
put lxc-generate-aa-rules.py into EXTRA_DIST
add lxc-test-apparmor, container-base and container-rules to .gitignore
take lxc-test-apparmor out of EXTRA_DIST
make lxc-generate-aa-rules.py pep8-compliant
don't automatically generate apparmor rules
This is only bc we can't be guaranteed that python3 will be
available.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Compare: https://github.com/lxc/lxc/compare/e6ee584a15ce...198b363fff1d
More information about the lxc-devel
mailing list