[lxc-devel] [PATCH 1/1] apparmor: allow writes to sem* and msg* sysctls
Stéphane Graber
stgraber at ubuntu.com
Tue Apr 29 21:13:22 UTC 2014
On Tue, Apr 29, 2014 at 08:02:32PM +0000, Serge Hallyn wrote:
> /proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls
> which are properly namespaced. Allow writes to them from
> containers.
>
> Reported-by: Dan Kegel <dank at kegel.com>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> config/apparmor/abstractions/container-base | 9 +++++++--
> config/apparmor/container-rules | 9 +++++++--
> config/apparmor/container-rules.base | 2 ++
> 3 files changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> index c109baa..71e9348 100644
> --- a/config/apparmor/abstractions/container-base
> +++ b/config/apparmor/abstractions/container-base
> @@ -55,7 +55,7 @@
> deny /proc/sys/ker[^n]*{,/**} wklx,
> deny /proc/sys/kern[^e]*{,/**} wklx,
> deny /proc/sys/kerne[^l]*{,/**} wklx,
> - deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> + deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
> deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> @@ -74,7 +74,12 @@
> deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> deny /proc/sys/kernel/hostname?*{,/**} wklx,
> - deny /proc/sys/kernel/s[^h]*{,/**} wklx,
> + deny /proc/sys/kernel/m[^s]*{,/**} wklx,
> + deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
> + deny /proc/sys/kernel/msg*/** wklx,
> + deny /proc/sys/kernel/s[^he]*{,/**} wklx,
> + deny /proc/sys/kernel/se[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/sem*/** wklx,
> deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
> deny /proc/sys/kernel/shm*/** wklx,
> deny /proc/sys/kernel?*{,/**} wklx,
> diff --git a/config/apparmor/container-rules b/config/apparmor/container-rules
> index 2c8c0b4..ea5c408 100644
> --- a/config/apparmor/container-rules
> +++ b/config/apparmor/container-rules
> @@ -5,7 +5,7 @@
> deny /proc/sys/ker[^n]*{,/**} wklx,
> deny /proc/sys/kern[^e]*{,/**} wklx,
> deny /proc/sys/kerne[^l]*{,/**} wklx,
> - deny /proc/sys/kernel/[^shd]*{,/**} wklx,
> + deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
> deny /proc/sys/kernel/d[^o]*{,/**} wklx,
> deny /proc/sys/kernel/do[^m]*{,/**} wklx,
> deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
> @@ -24,7 +24,12 @@
> deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
> deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
> deny /proc/sys/kernel/hostname?*{,/**} wklx,
> - deny /proc/sys/kernel/s[^h]*{,/**} wklx,
> + deny /proc/sys/kernel/m[^s]*{,/**} wklx,
> + deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
> + deny /proc/sys/kernel/msg*/** wklx,
> + deny /proc/sys/kernel/s[^he]*{,/**} wklx,
> + deny /proc/sys/kernel/se[^m]*{,/**} wklx,
> + deny /proc/sys/kernel/sem*/** wklx,
> deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
> deny /proc/sys/kernel/shm*/** wklx,
> deny /proc/sys/kernel?*{,/**} wklx,
> diff --git a/config/apparmor/container-rules.base b/config/apparmor/container-rules.base
> index 615f015..a657481 100644
> --- a/config/apparmor/container-rules.base
> +++ b/config/apparmor/container-rules.base
> @@ -8,6 +8,8 @@ allow /sys/devices/virtual/net/**
> allow /sys/class/net/**
> block /proc/sys
> allow /proc/sys/kernel/shm*
> +allow /proc/sys/kernel/sem*
> +allow /proc/sys/kernel/msg*
> allow /proc/sys/kernel/hostname
> allow /proc/sys/kernel/domainname
> allow /proc/sys/net/**
> --
> 1.9.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140429/f3b41299/attachment.sig>
More information about the lxc-devel
mailing list