[lxc-devel] [lxc/master] apparmor: Allow /usr/lib* paths for mount and pivot_root

[hwoarang on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 543 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180719/de63bec9/attachment.bin>
-------------- next part --------------
From 733e3757603f37375bbd4a1b229e91a88036297f Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchandras at suse.de>
Date: Thu, 19 Jul 2018 12:12:13 +0100
Subject: [PATCH] apparmor: Allow /usr/lib* paths for mount and pivot_root

openSUSE Leap 15 is using --libdir=/usr/lib64 when building for
x86_64 so we need to allow this path in the apparmor profiles.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1099239
Signed-off-by: Markos Chandras <mchandras at suse.de>
---
 config/apparmor/abstractions/start-container | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
index fa64c278c..414d058ba 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -9,8 +9,8 @@
   ptrace,
 
   # currently blocked by apparmor bug
-  mount -> /usr/lib/*/lxc/{**,},
-  mount -> /usr/lib/lxc/{**,},
+  mount -> /usr/lib*/*/lxc/{**,},
+  mount -> /usr/lib*/lxc/{**,},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
@@ -34,10 +34,10 @@
   # This may look a bit redundant, however it appears we need all of
   # them if we want things to work properly on all combinations of kernel
   # and userspace parser...
-  pivot_root /usr/lib/lxc/,
-  pivot_root /usr/lib/*/lxc/,
-  pivot_root /usr/lib/lxc/**,
-  pivot_root /usr/lib/*/lxc/**,
+  pivot_root /usr/lib*/lxc/,
+  pivot_root /usr/lib*/*/lxc/,
+  pivot_root /usr/lib*/lxc/**,
+  pivot_root /usr/lib*/*/lxc/**,
 
   change_profile -> lxc-*,
   change_profile -> unconfined,