[lxc-devel] [PATCH 1/1] apparmor: prevent force umount
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 18 17:23:51 UTC 2014
it will cause hangup of the fuse fs on host.
Note we could limit this to fuse filesystems only, but I can't see a
good reason to allow force umount from container at all at the moment.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/apparmor/abstractions/container-base | 3 +++
config/apparmor/abstractions/container-base.in | 3 +++
2 files changed, 6 insertions(+)
diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
index 2d5fd7a..4faed77 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -3,6 +3,9 @@
file,
umount,
+ # prevent containers from causing nfs/fuse hangup on host
+ deny umount options=(force),
+
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
index 2065735..56f4da9 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -3,6 +3,9 @@
file,
umount,
+ # prevent containers from causing nfs/fuse hangup on host
+ deny umount options=(force),
+
# dbus, signal, ptrace and unix are only supported by recent apparmor
# versions. Comment them if the apparmor parser doesn't recognize them.
--
2.1.0
More information about the lxc-devel
mailing list