[lxc-devel] [PATCH] document the new lxc.aa_allow_incomplete flag

Stéphane Graber stgraber at ubuntu.com
Mon Sep 22 14:40:46 UTC 2014 

On Mon, Sep 22, 2014 at 02:18:07PM +0000, Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  doc/lxc.container.conf.sgml.in | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 121f882..e418aaf 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1055,6 +1055,27 @@ proc proc proc nodev,noexec,nosuid 0 0
>  	      <programlisting>lxc.aa_profile = unconfined</programlisting>
>  	  </listitem>
>  	</varlistentry>
> +	<varlistentry>
> +	  <term>
> +	    <option>lxc.aa_allow_incomplete</option>
> +	  </term>
> +	  <listitem>
> +	    <para>
> +	      Apparmor profiles are pathname based.  Therefore many file
> +	      restrictions require mount restrictions to be effective against
> +	      a determined attacker.  However, these mount restrictions are not
> +	      yet implemented in the upstream kernel.  Without the mount
> +	      restrictions, the apparmor profiles still protect against accidental
> +	      damager.
> +	    </para>
> +	    <para>
> +	      If this flag is 0 (default), then the container will not be
> +	      started if the kernel lacks the apparmor mount features, so that a
> +	      regression after a kernel upgrade will be detected.  To start the
> +	      container under partial apparmor protection, set this flag to 1.
> +	    </para>
> +	  </listitem>
> +	</varlistentry>
>        </variablelist>
>      </refsect2>
>  
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140922/a47a27f4/attachment.sig>

More information about the lxc-devel mailing list