Public bug reported: The current lxc package uses a single profile for all containers. Because of the way this is implemented, administrators cannot customize a policy for a special container (without copying /usr/bin/lxc-start to a new container-specific /usr/bin/lxc-start-mycontainer, which could then have its own policy).
Additionally, the default policy cannot at the same time clamp down on cgroup access by the container (to prevent it escaping its device list access, for instance) and allow nested lxc/libvirt (which requires cggroup modification of the container's child cgroups). I believe this will not be sufficient for administrators. Therefore I think we should: 1. update lxc-create to have a '--apparmor <file>' argument to specify a custom profile. 2. have lxc-create use a default policy (in /etc/lxc/lxc.apparmor) by default 3. edit lxc-start and lxc-execute to manually enter the container's policy as specified by lxc.apparmor line in the configuration file, or a stock one if unspecified. 4. edit lxc-clone and lxc-start-ephemeral to do the right thing. ** Affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/953453 Title: [FFE] use per-container apparmor profiles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/953453/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs