[lxc-devel] [PATCH 1/1] apparmor: prevent force umount
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Dec 18 17:31:57 UTC 2014
Never mind, this won't work until apparmor gets some changes.
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> it will cause hangup of the fuse fs on host.
>
> Note we could limit this to fuse filesystems only, but I can't see a
> good reason to allow force umount from container at all at the moment.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
> config/apparmor/abstractions/container-base | 3 +++
> config/apparmor/abstractions/container-base.in | 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
> index 2d5fd7a..4faed77 100644
> --- a/config/apparmor/abstractions/container-base
> +++ b/config/apparmor/abstractions/container-base
> @@ -3,6 +3,9 @@
> file,
> umount,
>
> + # prevent containers from causing nfs/fuse hangup on host
> + deny umount options=(force),
> +
> # dbus, signal, ptrace and unix are only supported by recent apparmor
> # versions. Comment them if the apparmor parser doesn't recognize them.
>
> diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
> index 2065735..56f4da9 100644
> --- a/config/apparmor/abstractions/container-base.in
> +++ b/config/apparmor/abstractions/container-base.in
> @@ -3,6 +3,9 @@
> file,
> umount,
>
> + # prevent containers from causing nfs/fuse hangup on host
> + deny umount options=(force),
> +
> # dbus, signal, ptrace and unix are only supported by recent apparmor
> # versions. Comment them if the apparmor parser doesn't recognize them.
>
> --
> 2.1.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list