[lxc-devel] [lxd/master] AppArmor tweaks for forkproxy

stgraber on Github lxc-bot at linuxcontainers.org
Mon Oct 5 20:31:34 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201005/0299f249/attachment.bin>
-------------- next part --------------
From 0142c545185608c3f58218456fe31dd1ef981d5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 5 Oct 2020 16:30:26 -0400
Subject: [PATCH 1/2] lxd/apparmor/forkproxy: Fix bad profile name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor/instance_forkproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/apparmor/instance_forkproxy.go b/lxd/apparmor/instance_forkproxy.go
index 58c146af28..ef95ab3efc 100644
--- a/lxd/apparmor/instance_forkproxy.go
+++ b/lxd/apparmor/instance_forkproxy.go
@@ -135,7 +135,7 @@ func forkproxyProfile(state *state.State, inst instance, dev device) (string, er
 func ForkproxyProfileName(inst instance, dev device) string {
 	path := shared.VarPath("")
 	name := fmt.Sprintf("%s_%s_<%s>", dev.Name(), project.Instance(inst.Project(), inst.Name()), path)
-	return profileName("", name)
+	return profileName("forkproxy", name)
 }
 
 // forkproxyProfileFilename returns the name of the on-disk profile name.

From f14db6a7f16b7ab98fba00171cbe91773562aa9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 5 Oct 2020 16:30:52 -0400
Subject: [PATCH 2/2] lxd/apparmor/forkproxy: Allow writing to log path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor/instance_forkproxy.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lxd/apparmor/instance_forkproxy.go b/lxd/apparmor/instance_forkproxy.go
index ef95ab3efc..05fe662460 100644
--- a/lxd/apparmor/instance_forkproxy.go
+++ b/lxd/apparmor/instance_forkproxy.go
@@ -47,6 +47,7 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   network unix stream,
 
   # Forkproxy operation
+  {{ .logPath }}/** rw,
   @{PROC}/** rw,
   / rw,
   ptrace (read),
@@ -121,6 +122,7 @@ func forkproxyProfile(state *state.State, inst instance, dev device) (string, er
 		"rootPath":    rootPath,
 		"snap":        shared.InSnap(),
 		"exePath":     util.GetExecPath(),
+		"logPath":     inst.LogPath(),
 		"libraryPath": strings.Split(os.Getenv("LD_LIBRARY_PATH"), ":"),
 		"sockets":     sockets,
 	})

More information about the lxc-devel mailing list