The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/878
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From eab570bcaf848fad77e84dc9df1b5111d4b3603f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Mon, 7 Mar 2016 15:00:05 -0500
Subject: [PATCH 1/2] Revert "allow cgroupfs mounts under /sys/fs/cgroup"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit 833bf9c2b29ff03cb5e5e1db089d25757f4a2647.
This change wasn't actually safe and is now superseded by the cgns profile.
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
config/apparmor/abstractions/container-base.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/config/apparmor/abstractions/container-base.in
b/config/apparmor/abstractions/container-base.in
index 2a3969b..2237a47 100644
--- a/config/apparmor/abstractions/container-base.in
+++ b/config/apparmor/abstractions/container-base.in
@@ -91,6 +91,5 @@
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ ->
/sys/fs/cgroup/cgmanager.lower/,
- mount fstype=cgroup -> /sys/fs/cgroup/**,
mount options=(ro, nosuid, nodev, noexec, remount, strictatime) ->
/sys/fs/cgroup/,
From 056f8bba0d86ca2ba481a932f23faff9db2ef588 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Mon, 7 Mar 2016 15:01:17 -0500
Subject: [PATCH 2/2] Properly update the generated apparmor profiles
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some changes happened but the final profiles weren't generated...
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
config/apparmor/abstractions/container-base | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/config/apparmor/abstractions/container-base
b/config/apparmor/abstractions/container-base
index ac8d4e9..6e924db 100644
--- a/config/apparmor/abstractions/container-base
+++ b/config/apparmor/abstractions/container-base
@@ -62,6 +62,10 @@
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+ # allow bind mounts of /run/{,lock} to /var/run/{,lock}
+ mount options=(rw, bind) /run/ -> /var/run/,
+ mount options=(rw, bind) /run/lock/ -> /var/lock/,
+
# deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
@@ -83,9 +87,11 @@
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
+ mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
mount options=(move) /sys/fs/cgroup/cgmanager/ ->
/sys/fs/cgroup/cgmanager.lower/,
+ mount options=(ro, nosuid, nodev, noexec, remount, strictatime) ->
/sys/fs/cgroup/,
# generated by: lxc-generate-aa-rules.py container-rules.base
deny /proc/sys/[^kn]*{,/**} wklx,
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
