Thanks Stephane for your answer.
However, I am running on RedHat, is there a similar file on RedHat I can
check?
On 7/5/2012 4:26 PM, Stéphane Graber wrote:
> On 07/05/2012 06:41 AM, J. Xiao wrote:
>> Hi,
>>
>> I am trying to add lxc.shmmax as a configuration option for lxc-execute,
>> so the container would have desired shmmax setting.
>> I run lxc-execute as a regular user and setuid root. When trying to open
>> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission
>> denied". I checked that all the capabilities are up in PERMITTED and
>> EFFECTIVE set. Does anyone know the reason for not being able to write
>> to /proc/sys/kernel/shmmax? I can work around this problem by setting
>> the euid to 0 before the open/write, but I would like to understand the
>> permission issue.
>>
>> Thanks.
>>
>> Jian
>
> Hi Jian,
>
> I've updated the apparmor profile in Ubuntu 12.10 and an update is
> pending to Ubuntu 12.04 LTS to implement the same change.
>
> This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
> these are tied to the IPC namespace and so are safe to set.
>
> In the mean time, you can manually apply the change to
> /etc/apparmor.d/lxc/lxc-default
>
> diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
> lxc-0.7.5/debian/lxc-default.apparmor
> --- lxc-0.7.5/debian/lxc-default.apparmor 2012-05-24 15:25:38.000000000
> +0000
> +++ lxc-0.7.5/debian/lxc-default.apparmor 2012-07-05 17:20:00.000000000
> +0000
> @@ -16,6 +16,9 @@
> # allow mqueue mounts everywhere
> mount fstype=mqueue,
>
> + # allow fuse mounts everywhere
> + mount fstype=fuse.*,
> +
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> @@ -32,7 +35,8 @@
> deny @{PROC}/sysrq-trigger rwklx,
> deny @{PROC}/mem rwklx,
> deny @{PROC}/kmem rwklx,
> - deny @{PROC}/sys/kernel/** wklx,
> + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> + deny @{PROC}/sys/kernel/*/** wklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
>
> I'm expecting this fix to land within the next two weeks.
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
