[lxc-devel] [lxc/master] apparmor: Allow /usr/lib* paths for mount and pivot_root

Thu, 19 Jul 2018 04:20:01 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2481

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
openSUSE Leap 15 is using --libdir=/usr/lib64 when building for
x86_64 so we need to allow this path in the apparmor profiles.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1099239
Signed-off-by: Markos Chandras <mchand...@suse.de>

From 733e3757603f37375bbd4a1b229e91a88036297f Mon Sep 17 00:00:00 2001
From: Markos Chandras <mchand...@suse.de>
Date: Thu, 19 Jul 2018 12:12:13 +0100
Subject: [PATCH] apparmor: Allow /usr/lib* paths for mount and pivot_root

openSUSE Leap 15 is using --libdir=/usr/lib64 when building for
x86_64 so we need to allow this path in the apparmor profiles.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1099239
Signed-off-by: Markos Chandras <mchand...@suse.de>
---
 config/apparmor/abstractions/start-container | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/apparmor/abstractions/start-container 
b/config/apparmor/abstractions/start-container
index fa64c278c..414d058ba 100644
--- a/config/apparmor/abstractions/start-container
+++ b/config/apparmor/abstractions/start-container
@@ -9,8 +9,8 @@
   ptrace,
 
   # currently blocked by apparmor bug
-  mount -> /usr/lib/*/lxc/{**,},
-  mount -> /usr/lib/lxc/{**,},
+  mount -> /usr/lib*/*/lxc/{**,},
+  mount -> /usr/lib*/lxc/{**,},
   mount fstype=devpts -> /dev/pts/,
   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
   mount options=bind /dev/pts/** -> /dev/**,
@@ -34,10 +34,10 @@
   # This may look a bit redundant, however it appears we need all of
   # them if we want things to work properly on all combinations of kernel
   # and userspace parser...
-  pivot_root /usr/lib/lxc/,
-  pivot_root /usr/lib/*/lxc/,
-  pivot_root /usr/lib/lxc/**,
-  pivot_root /usr/lib/*/lxc/**,
+  pivot_root /usr/lib*/lxc/,
+  pivot_root /usr/lib*/*/lxc/,
+  pivot_root /usr/lib*/lxc/**,
+  pivot_root /usr/lib*/*/lxc/**,
 
   change_profile -> lxc-*,
   change_profile -> unconfined,

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to