[lxc-devel] improving host-from-container protection for /sys
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Feb 6 20:38:35 UTC 2014
Hi,
if you look at lxc/config/apparmor/abstractions/container-base, you see
at bottom a set of hand-written denials in an attempt to provide a
deny-by-default-with-whitelist behavior. When I've wanted to add access
to /sys/class/net and such (for libvirtd in a container) it got ugly.
To address this I've written a python script to automate it. Some
review would be appreciated. The idea is that we will ship a simple
configuration like
block /sys
allow /sys/class/net/**
allow /sys/fs/cgroup/**
block /proc/sys/kernel
allow /proc/sys/kernel/shm*
and have package builds generate an apparmor policy chunk from that.
The code and a readme are at
https://github.com/hallyn/generate_apparmor_rules
thanks,
-serge
More information about the lxc-devel
mailing list