[Lxc-users] lxc, CIFS mounts and apparmor

TuxRaiderPen tuxraiderpen at wpascanner.com
Sat Sep 1 16:26:26 UTC 2012


Playing with lxc "virtualization" to possibly isolate some things in their own 
little/light world(s) v. standard VM via VMWare Server or Player.....

I am trying to use mount for cifs to mount to a NAS to export out some data

apparmor is blocking it... ok so allow it...

I edited...


$ cd /etc/apparmor.d/lxc/
$ more lxc-default
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
  
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  network,
  capability,
  file,
  umount,
  
  # ignore DENIED message on / remount
  deny mount options=(ro, remount) -> /,
  
  # allow tmpfs mounts everywhere
  mount fstype=tmpfs,
  mount fstype=cifs,
  
  # allow mqueue mounts everywhere
  mount fstype=mqueue,
  
  # allow fuse mounts everywhere
  mount fstype=fuse.*,
  
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  
  # allow bind mount of /lib/init/fstab for lxcguest
  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
  
  # deny writes in /proc/sys/fs but allow fusectl to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,
  
  # block some other dangerous paths
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
  deny @{PROC}/sys/kernel/*/** wklx,
  
  # deny writes in /sys except for /sys/fs/cgroup, also allow
  # fusectl, securityfs and debugfs to be mounted there (read-only)
  mount fstype=fusectl -> /sys/fs/fuse/connections/,
  mount fstype=securityfs -> /sys/kernel/security/,
  mount fstype=debugfs -> /sys/kernel/debug/,
  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
  mount fstype=proc -> /proc/,
  mount fstype=sysfs -> /sys/,
  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
}

I added: *mount fstype=cifs,*

But apparmor is still sticking it stupid nose in my way

[ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED" 
operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs" 
fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"

Short of turning apparmor off, which is my next step...

Any apparmor guru's know how to remove this block ? ? ?

Or is this hidden in some other file now since the container is created? ?

And I would prefer not to use fuse to do this, for my own reason(s).

Thanks.




More information about the lxc-users mailing list