[lxc-users] some questions about lxc with apparmor
wengmeiling.weng at huawei.com
Mon Sep 15 01:40:28 UTC 2014
On 2014/9/12 22:22, Serge Hallyn wrote:
> Quoting Weng Meiling (wengmeiling.weng at huawei.com):
>> Hi guys,
>> I want to use apparmor to do some limits on container, but I can't success.
>> my environment:
>> template: suse template
>> lxc: 1.0.0.beta1 //build with apparmor enable
>> # rpm -qa | grep apparmor
>> upstream 3.4 kernel and 3.16 kernel
>> # cat config | grep APPARMOR
>> # cat /sys/module/apparmor/parameters/enabled
> What does /sys/kernel/security/apparmor/features/mount/mask show?
Thanks for quick reply!
the file content:
# cat /sys/kernel/security/apparmor/features/mount/mask
> That depends on some new apparmor features still making their
> way upstream.
> The current behavior when these are missing is not right, but hasn't
> yet been fixed. We should either fail the container startup, clearly
> warning the user that the full apparmor profile wouldn't have been
> enabled, or we should warn the user (which will likely get lost) and
> go ahead and load the apparmor profile.
> Well, or better, we could scan the apparmor profile for features which
> would require the mount feature. I'm not quite sure whether that's
> possible though.
More information about the lxc-users