[lxc-devel] [lxd/master] Enable stacking for privileged containers

stgraber on Github lxc-bot at linuxcontainers.org
Wed Apr 5 16:32:19 UTC 2017


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170405/2d0ae77c/attachment.bin>
-------------- next part --------------
From feed2a8e76d07a080086d1acf2f9d39f60621e4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 5 Apr 2017 12:24:33 -0400
Subject: [PATCH] Enable stacking for privileged containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor.go      | 10 ++--------
 lxd/container_lxc.go |  4 ++--
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index 89881a8..b11be5b 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -320,12 +320,7 @@ func getAAProfileContent(c container) string {
 
 	if aaStacking {
 		profile += "\n  ### Feature: apparmor stacking\n"
-
-		if c.IsPrivileged() {
-			profile += "\n  ### Configuration: apparmor loading disabled in privileged containers\n"
-			profile += "  deny /sys/k*{,/**} rwklx,\n"
-		} else {
-			profile += `  ### Configuration: apparmor loading in unprivileged containers
+		profile += `  ### Configuration: apparmor profile loading (in namespace)
   deny /sys/k[^e]*{,/**} wklx,
   deny /sys/ke[^r]*{,/**} wklx,
   deny /sys/ker[^n]*{,/**} wklx,
@@ -351,8 +346,7 @@ func getAAProfileContent(c container) string {
   deny /sys/kernel/security?*{,/**} wklx,
   deny /sys/kernel?*{,/**} wklx,
 `
-			profile += fmt.Sprintf("  change_profile -> \":%s://*\",\n", AANamespace(c))
-		}
+		profile += fmt.Sprintf("  change_profile -> \":%s://*\",\n", AANamespace(c))
 	} else {
 		profile += "\n  ### Feature: apparmor stacking (not present)\n"
 		profile += "  deny /sys/k*{,/**} rwklx,\n"
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index df710be..f9666ab 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -718,7 +718,7 @@ func (c *containerLXC) initLXC() error {
 
 	// Base config
 	toDrop := "sys_time sys_module sys_rawio"
-	if !aaStacking || c.IsPrivileged() {
+	if !aaStacking {
 		toDrop = toDrop + " mac_admin mac_override"
 	}
 
@@ -937,7 +937,7 @@ func (c *containerLXC) initLXC() error {
 			 * the old way of nesting, i.e. using the parent's
 			 * profile.
 			 */
-			if aaStacking && (!c.IsNesting() || !c.IsPrivileged()) {
+			if aaStacking {
 				profile = fmt.Sprintf("%s//&:%s:", profile, AANamespace(c))
 			}
 


More information about the lxc-devel mailing list