it will cause hangup of the fuse fs on host. Note we could limit this to fuse filesystems only, but I can't see a good reason to allow force umount from container at all at the moment.
Signed-off-by: Serge Hallyn <[email protected]> --- config/apparmor/abstractions/container-base | 3 +++ config/apparmor/abstractions/container-base.in | 3 +++ 2 files changed, 6 insertions(+) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base index 2d5fd7a..4faed77 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -3,6 +3,9 @@ file, umount, + # prevent containers from causing nfs/fuse hangup on host + deny umount options=(force), + # dbus, signal, ptrace and unix are only supported by recent apparmor # versions. Comment them if the apparmor parser doesn't recognize them. diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in index 2065735..56f4da9 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -3,6 +3,9 @@ file, umount, + # prevent containers from causing nfs/fuse hangup on host + deny umount options=(force), + # dbus, signal, ptrace and unix are only supported by recent apparmor # versions. Comment them if the apparmor parser doesn't recognize them. -- 2.1.0 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
