[Lxc-users] lxc, CIFS mounts and apparmor

Serge Hallyn serge.hallyn at canonical.com
Thu Sep 6 13:25:54 UTC 2012


Quoting TuxRaiderPen (tuxraiderpen at wpascanner.com):
> Playing with lxc "virtualization" to possibly isolate some things in their own 
> little/light world(s) v. standard VM via VMWare Server or Player.....
> 
> I am trying to use mount for cifs to mount to a NAS to export out some data
> 
> apparmor is blocking it... ok so allow it...
> 
> I edited...
> 
> 
> $ cd /etc/apparmor.d/lxc/
> $ more lxc-default
> # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>   
> profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
>   network,
>   capability,
>   file,
>   umount,
>   
>   # ignore DENIED message on / remount
>   deny mount options=(ro, remount) -> /,
>   
>   # allow tmpfs mounts everywhere
>   mount fstype=tmpfs,
>   mount fstype=cifs,
>   
>   # allow mqueue mounts everywhere
>   mount fstype=mqueue,
>   
>   # allow fuse mounts everywhere
>   mount fstype=fuse.*,
>   
>   # the container may never be allowed to mount devpts.  If it does, it
>   # will remount the host's devpts.  We could allow it to do it with
>   # the newinstance option (but, right now, we don't).
>   deny mount fstype=devpts,
>   
>   # allow bind mount of /lib/init/fstab for lxcguest
>   mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
>   
>   # deny writes in /proc/sys/fs but allow fusectl to be mounted
>   mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
>   deny @{PROC}/sys/fs/** wklx,
>   
>   # block some other dangerous paths
>   deny @{PROC}/sysrq-trigger rwklx,
>   deny @{PROC}/mem rwklx,
>   deny @{PROC}/kmem rwklx,
>   deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
>   deny @{PROC}/sys/kernel/*/** wklx,
>   
>   # deny writes in /sys except for /sys/fs/cgroup, also allow
>   # fusectl, securityfs and debugfs to be mounted there (read-only)
>   mount fstype=fusectl -> /sys/fs/fuse/connections/,
>   mount fstype=securityfs -> /sys/kernel/security/,
>   mount fstype=debugfs -> /sys/kernel/debug/,
>   deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
>   mount fstype=proc -> /proc/,
>   mount fstype=sysfs -> /sys/,
>   deny /sys/[^f]*/** wklx,
>   deny /sys/f[^s]*/** wklx,
>   deny /sys/fs/[^c]*/** wklx,
>   deny /sys/fs/c[^g]*/** wklx,
>   deny /sys/fs/cg[^r]*/** wklx,
> }
> 
> I added: *mount fstype=cifs,*
> 
> But apparmor is still sticking it stupid nose in my way

Just to make sure - did you reload the policy after this?

> [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED" 
> operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
> container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs" 
> fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"

I haven't tried this, but it sure looks like this should be fixed with your
rule.

> Short of turning apparmor off, which is my next step...

Well it's certainly worth trying turning apparmor off (just with
lxc.aa_profile = unconfined) to make sure it's the problem.  The
network filesystems are still persnickity in containers, and I'm
not even sure cifs will work at all.

> Any apparmor guru's know how to remove this block ? ? ?
> 
> Or is this hidden in some other file now since the container is created? ?
> 
> And I would prefer not to use fuse to do this, for my own reason(s).
> 
> Thanks.
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users




More information about the lxc-users mailing list