[lxc-devel] [lxd/master] AppArmor tweaks for forkproxy

stgraber on Github Mon, 05 Oct 2020 13:32:12 -0700

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7984


This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 0142c545185608c3f58218456fe31dd1ef981d5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Mon, 5 Oct 2020 16:30:26 -0400
Subject: [PATCH 1/2] lxd/apparmor/forkproxy: Fix bad profile name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/apparmor/instance_forkproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/apparmor/instance_forkproxy.go 
b/lxd/apparmor/instance_forkproxy.go
index 58c146af28..ef95ab3efc 100644
--- a/lxd/apparmor/instance_forkproxy.go
+++ b/lxd/apparmor/instance_forkproxy.go
@@ -135,7 +135,7 @@ func forkproxyProfile(state *state.State, inst instance, 
dev device) (string, er
 func ForkproxyProfileName(inst instance, dev device) string {
        path := shared.VarPath("")
        name := fmt.Sprintf("%s_%s_<%s>", dev.Name(), 
project.Instance(inst.Project(), inst.Name()), path)
-       return profileName("", name)
+       return profileName("forkproxy", name)
 }
 
 // forkproxyProfileFilename returns the name of the on-disk profile name.

From f14db6a7f16b7ab98fba00171cbe91773562aa9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Mon, 5 Oct 2020 16:30:52 -0400
Subject: [PATCH 2/2] lxd/apparmor/forkproxy: Allow writing to log path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/apparmor/instance_forkproxy.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lxd/apparmor/instance_forkproxy.go 
b/lxd/apparmor/instance_forkproxy.go
index ef95ab3efc..05fe662460 100644
--- a/lxd/apparmor/instance_forkproxy.go
+++ b/lxd/apparmor/instance_forkproxy.go
@@ -47,6 +47,7 @@ profile "{{ .name }}" 
flags=(attach_disconnected,mediate_deleted) {
   network unix stream,
 
   # Forkproxy operation
+  {{ .logPath }}/** rw,
   @{PROC}/** rw,
   / rw,
   ptrace (read),
@@ -121,6 +122,7 @@ func forkproxyProfile(state *state.State, inst instance, 
dev device) (string, er
                "rootPath":    rootPath,
                "snap":        shared.InSnap(),
                "exePath":     util.GetExecPath(),
+               "logPath":     inst.LogPath(),
                "libraryPath": strings.Split(os.Getenv("LD_LIBRARY_PATH"), ":"),
                "sockets":     sockets,
        })

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] AppArmor tweaks for forkproxy

Reply via email to