[lxc-devel] [lxd/master] lxd/containers: Add configfs and tracefs

Thu, 19 Mar 2020 13:03:27 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7060

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Closes #7059

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>

From ea0b3219cc0a1d2270605708388ff0dc7167b5b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Thu, 19 Mar 2020 15:51:45 -0400
Subject: [PATCH] lxd/containers: Add configfs and tracefs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #7059

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/apparmor/apparmor.go           | 8 ++++++++
 lxd/instance/drivers/driver_lxc.go | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/lxd/apparmor/apparmor.go b/lxd/apparmor/apparmor.go
index 3c395baebd..abeb15bf0f 100644
--- a/lxd/apparmor/apparmor.go
+++ b/lxd/apparmor/apparmor.go
@@ -53,6 +53,10 @@ const profileBase = `
   # Handle cgroupfs
   mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> 
/sys/fs/cgroup/,
 
+  # Handle configfs
+  mount fstype=configfs -> /sys/kernel/config/,
+  deny /sys/kernel/config/{,**} rwklx,
+
   # Handle debugfs
   mount fstype=debugfs -> /sys/kernel/debug/,
   deny /sys/kernel/debug/{,**} rwklx,
@@ -61,6 +65,10 @@ const profileBase = `
   mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
   deny /sys/firmware/efi/efivars/{,**} rwklx,
 
+  # Handle tracefs
+  mount fstype=tracefs -> /sys/kernel/tracing/,
+  deny /sys/kernel/tracing/{,**} rwklx,
+
   # Handle fuse
   mount fstype=fuse,
   mount fstype=fuse.*,
diff --git a/lxd/instance/drivers/driver_lxc.go 
b/lxd/instance/drivers/driver_lxc.go
index a633044140..1d08e49f82 100644
--- a/lxd/instance/drivers/driver_lxc.go
+++ b/lxd/instance/drivers/driver_lxc.go
@@ -815,8 +815,11 @@ func (c *lxc) initLXC(config bool) error {
                "/sys/firmware/efi/efivars",
                "/sys/fs/fuse/connections",
                "/sys/fs/pstore",
+               "/sys/kernel/config",
                "/sys/kernel/debug",
-               "/sys/kernel/security"}
+               "/sys/kernel/security",
+               "/sys/kernel/tracing",
+       }
 
        if c.IsPrivileged() && !c.state.OS.RunningInUserNS {
                err = lxcSetConfigItem(cc, "lxc.mount.entry", "mqueue 
dev/mqueue mqueue rw,relatime,create=dir,optional 0 0")

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to