[Lxc-users] lxc, CIFS mounts and apparmor
Serge Hallyn
serge.hallyn at canonical.com
Thu Sep 6 13:25:54 UTC 2012
Quoting TuxRaiderPen (tuxraiderpen at wpascanner.com):
> Playing with lxc "virtualization" to possibly isolate some things in their own
> little/light world(s) v. standard VM via VMWare Server or Player.....
>
> I am trying to use mount for cifs to mount to a NAS to export out some data
>
> apparmor is blocking it... ok so allow it...
>
> I edited...
>
>
> $ cd /etc/apparmor.d/lxc/
> $ more lxc-default
> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
> network,
> capability,
> file,
> umount,
>
> # ignore DENIED message on / remount
> deny mount options=(ro, remount) -> /,
>
> # allow tmpfs mounts everywhere
> mount fstype=tmpfs,
> mount fstype=cifs,
>
> # allow mqueue mounts everywhere
> mount fstype=mqueue,
>
> # allow fuse mounts everywhere
> mount fstype=fuse.*,
>
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> deny mount fstype=devpts,
>
> # allow bind mount of /lib/init/fstab for lxcguest
> mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
>
> # deny writes in /proc/sys/fs but allow fusectl to be mounted
> mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
> deny @{PROC}/sys/fs/** wklx,
>
> # block some other dangerous paths
> deny @{PROC}/sysrq-trigger rwklx,
> deny @{PROC}/mem rwklx,
> deny @{PROC}/kmem rwklx,
> deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> deny @{PROC}/sys/kernel/*/** wklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
> mount fstype=fusectl -> /sys/fs/fuse/connections/,
> mount fstype=securityfs -> /sys/kernel/security/,
> mount fstype=debugfs -> /sys/kernel/debug/,
> deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
> mount fstype=proc -> /proc/,
> mount fstype=sysfs -> /sys/,
> deny /sys/[^f]*/** wklx,
> deny /sys/f[^s]*/** wklx,
> deny /sys/fs/[^c]*/** wklx,
> deny /sys/fs/c[^g]*/** wklx,
> deny /sys/fs/cg[^r]*/** wklx,
> }
>
> I added: *mount fstype=cifs,*
>
> But apparmor is still sticking it stupid nose in my way
Just to make sure - did you reload the policy after this?
> [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED"
> operation="mount" info="failed type match" error=-13 parent=5073 profile="lxc-
> container-default" name="/mnt/wxdata/" pid=5074 comm="mount.cifs"
> fstype="cifs" srcname="//192.168.0.10/Share" flags="rw"
I haven't tried this, but it sure looks like this should be fixed with your
rule.
> Short of turning apparmor off, which is my next step...
Well it's certainly worth trying turning apparmor off (just with
lxc.aa_profile = unconfined) to make sure it's the problem. The
network filesystems are still persnickity in containers, and I'm
not even sure cifs will work at all.
> Any apparmor guru's know how to remove this block ? ? ?
>
> Or is this hidden in some other file now since the container is created? ?
>
> And I would prefer not to use fuse to do this, for my own reason(s).
>
> Thanks.
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
More information about the lxc-users
mailing list