[lxc-devel] improving host-from-container protection for /sys

[Serge Hallyn]

Hi,

if you look at lxc/config/apparmor/abstractions/container-base, you see
at bottom a set of hand-written denials in an attempt to provide a
deny-by-default-with-whitelist behavior.  When I've wanted to add access
to /sys/class/net and such (for libvirtd in a container) it got ugly.
To address this I've written a python script to automate it.  Some
review would be appreciated.  The idea is that we will ship a simple
configuration like

block /sys
allow /sys/class/net/**
allow /sys/fs/cgroup/**
block /proc/sys/kernel
allow /proc/sys/kernel/shm*

and have package builds generate an apparmor policy chunk from that.
The code and a readme are at
https://github.com/hallyn/generate_apparmor_rules

thanks,
-serge