[lxc-users] sysctl -p no longer allowed in container

[Serge Hallyn]

Quoting Dan Kegel (dank at kegel.com):
> OK, it's not as benign as I thought; I can't even do the setting in the host
> without disabling apparmor.  So I guess I should file a bug against

Hm?  I don't have that problem...  what is in /proc/self/attr/current?
Does /var/log/audit/audit.log or /var/log/syslog show an apparmor
denial for it?  what does strace show?

> ubuntu 14.04 apparmor.  Thanks!
> - Dan
> 
> On Tue, Apr 29, 2014 at 12:17 PM, Dan Kegel <dank at kegel.com> wrote:
> > Think I should file a bug?  (And against what?)
> > - Dan
> >
> > On Tue, Apr 29, 2014 at 12:15 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >> Quoting Dan Kegel (dank at kegel.com):
> >>> My scripts were (unwisely) expecting to be able to do things like
> >>>         echo "kernel.sem = 250 65536 32 32768" | sudo tee -a /etc/sysctl.conf
> >>>         sudo /sbin/sysctl -p
> >>> inside the container.  Tsk.  I seem to have gotten away with it in
> >>> Ubuntu 12.04, but Ubuntu 14.04 complains
> >>>    + sudo /sbin/sysctl -p
> >>>    sysctl: permission denied on key 'kernel.sem'
> >>>
> >>> That makes sense -- containers shouldn't be able to tweak kernel parameters.
> >>> So now I'm rejiggering my scripts to do that outside the container.
> >>>
> >>> Onwards!
> >>
> >> Hm, actually i think that one should be fine.  The apparmor profile
> >> excempts /proc/sys/kernel/shm*, and it looks like /proc/sys/kernel/sem
> >> should also be allowed as it looks to be correctly namespaced - i.e
> >> the container won't affect the host's settings.
> >>
> >> -serge
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users