[lxc-devel] [lxc/master] 2016 02 21/cgns.aa
hallyn on Github
lxc-bot at linuxcontainers.org
Mon Feb 22 00:03:02 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160222/e30aae22/attachment.bin>
-------------- next part --------------
From 5adeb726d84e6580e2f0a47a5c7e76f03455818e Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 21 Feb 2016 15:38:11 -0800
Subject: [PATCH 1/3] add lxc-default-cgns profile
This isn't safe for privileged containers which do not use cgroup
namespaces, but is required for systemd containers with cgroup
namespaces. So create a new profile for it which lxc will use as
the default when it knows it can.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/apparmor/Makefile.am | 3 +++
config/apparmor/profiles/lxc-default-cgns | 12 ++++++++++++
2 files changed, 15 insertions(+)
create mode 100644 config/apparmor/profiles/lxc-default-cgns
diff --git a/config/apparmor/Makefile.am b/config/apparmor/Makefile.am
index f02ac93..887d16c 100644
--- a/config/apparmor/Makefile.am
+++ b/config/apparmor/Makefile.am
@@ -7,6 +7,7 @@ EXTRA_DIST = \
lxc-containers \
lxc-generate-aa-rules.py \
profiles/lxc-default \
+ profiles/lxc-default-cgns \
profiles/lxc-default-with-mounting \
profiles/lxc-default-with-nesting \
usr.bin.lxc-start
@@ -20,6 +21,7 @@ install-apparmor:
$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
+ $(INSTALL_DATA) profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
@@ -30,6 +32,7 @@ uninstall-apparmor:
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
+ rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
diff --git a/config/apparmor/profiles/lxc-default-cgns b/config/apparmor/profiles/lxc-default-cgns
new file mode 100644
index 0000000..141cde6
--- /dev/null
+++ b/config/apparmor/profiles/lxc-default-cgns
@@ -0,0 +1,12 @@
+# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/lxc/container-base>
+
+ # the container may never be allowed to mount devpts. If it does, it
+ # will remount the host's devpts. We could allow it to do it with
+ # the newinstance option (but, right now, we don't).
+ deny mount fstype=devpts,
+ mount fstype=cgroup -> /sys/fs/cgroup/**,
+}
From fcc1902d0a8f3389d58d1bbf2ffa5548c91f720c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 21 Feb 2016 15:51:37 -0800
Subject: [PATCH 2/3] Apparmor: use lxc-default-cgns if cgns is enabled
Because containers need to - and safely can - mount cgroufs in that
case.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/lsm/apparmor.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6352e2c..c0b2e34 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -31,6 +31,7 @@
#include "log.h"
#include "lsm/lsm.h"
#include "conf.h"
+#include "utils.h"
lxc_log_define(lxc_apparmor, lxc);
@@ -40,6 +41,7 @@ static int aa_enabled = 0;
static int mount_features_enabled = 0;
#define AA_DEF_PROFILE "lxc-container-default"
+#define AA_DEF_PROFILE_CGNS "lxc-container-default-cgns"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
#define AA_UNCHANGED "unchanged"
@@ -202,8 +204,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
free(curlabel);
if (!label) {
- if (use_default)
- label = AA_DEF_PROFILE;
+ if (use_default) {
+ if (cgns_supported())
+ label = AA_DEF_PROFILE_CGNS;
+ else
+ label = AA_DEF_PROFILE;
+ }
else
label = "unconfined";
}
From 101209d1c0009dcdb48bfc057d40a04c02d6642a Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Sun, 21 Feb 2016 15:52:07 -0800
Subject: [PATCH 3/3] allow cgroup mounting in nesting profile
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/apparmor/profiles/lxc-default-with-nesting | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index 66aa5fd..6e5745f 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -5,12 +5,10 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
-# Uncomment the line below if you are not using cgmanager
-# mount fstype=cgroup -> /sys/fs/cgroup/**,
-
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
+ mount fstype=cgroup -> /sys/fs/cgroup/**,
}
More information about the lxc-devel
mailing list