[lxc-devel] [PATCH] Allow containers to start in AppArmor namespaces

Christian Brauner christian.brauner at mailbox.org
Fri Jul 7 10:36:47 UTC 2017 

Hi Frédéric,

Thanks for the patch. Just an fyi, we now prefer a Github/PR-based workflow so
next time you send a patch you can also open a PR against or repo in case you
have Github account. You don't need to do it for this patch. I've picked it from
here and made a PR: https://github.com/lxc/lxc/pull/1682

Your authorship is of course not affected by this.

Thanks!
Christian

On Fri, Jul 07, 2017 at 11:26:45AM +0200, Frédéric Dalleau wrote:
> This patch allows users to start containers in AppArmor namespaces.
> Users can define their own profiles for their containers, but
> lxc-start must be allowed to change to a namespace.
> 
> A container configuration file can wrap a container in an AppArmor
> profile using lxc.aa_profile.
> 
> A process in an AppArmor namespace is restricted to view
> or manage only the profiles belonging to this namespace, as if no
> other profiles existed. A namespace can be created as follow:
> sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/$NAMESPACE
> 
> AppArmor can stack profiles so that the contained process is bound
> by the intersection of all profiles of the stack. This is achieved
> using the '//&' operator as follow:
> 
> lxc.aa_profile = $PROFILE//&:$NAMESPACE://unconfined
> 
> In this case, even the guest process appears unconfined in the
> namespace, it is still confined by $PROFILE.
> 
> A guest allowed to access "/sys/kernel/security/apparmor/** rwklix,"
> will be able to manage its own profile set, while still being
> enclosed in the topmost profile $PROFILE:
> 
> Different guests can be assigned the same namespace or different
> namespaces. In the first case, they will share their profiles.
> In the second case, they will have distinct sets of profiles.
> 
> This is validated on privileged containers.
> 
> Signed-off-by: Frédéric Dalleau <frederic.dalleau at collabora.com>
> ---
>  config/apparmor/abstractions/start-container | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
> index eee0c2f..508bbf3 100644
> --- a/config/apparmor/abstractions/start-container
> +++ b/config/apparmor/abstractions/start-container
> @@ -41,3 +41,4 @@
>  
>    change_profile -> lxc-*,
>    change_profile -> unconfined,
> +  change_profile -> :lxc-*:unconfined,
> -- 
> 2.9.3
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170707/adb0eb2d/attachment.sig>

More information about the lxc-devel mailing list