(changed subject to match content) On Tue, May 27, 2014 at 11:10 PM, Michael H. Warfield <m...@wittsend.com> wrote: > On Tue, 2014-05-27 at 15:33 +0700, Fajar A. Nugraha wrote: >> On further test, this seems enough > >> ### >> # cat lxc-default-with-systemd >> profile lxc-container-default-with-systemd >> flags=(attach_disconnected,mediate_deleted) { >> #include <abstractions/lxc/container-base> >> deny mount fstype=devpts, >> mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/, >> } >> ### > > This sounds excellent. It sounds like this should be incorporated into > the lxc package for any host distros supporting app armour and we could > then add that default to all the systemd based containers such as > Fedora, Suse, eventually Oracle, and eventually CentOS. > > I agree it does seem to make more sense to use a restrictive profile > that covers the minimal set of requirements as opposed to unconfined. > > That should be submitted as a patch over on the lxc-devel list then, for > Serge and Stéphane to review. I see where the file would need to be > added in the config/apparmour/profiles directory but I'm not familiar > enough with the packaging for Ubuntu to know what changes would be > needed to add them there.
I'll let Serge comment on this one. As a side note, I've tested opensuse 13.1 (using the squashfs root from rescue ISO) and it has two additional complains with the previous apparmor profile: May 27 17:12:50 trusty kernel: [66563.219898] type=1400 audit(1401185570.578:9249): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-with-systemd" name="/var/run/" pid=30648 comm="mount" srcname="/run/" flags="rw, bind" May 27 17:21:20 trusty kernel: [67073.932892] type=1400 audit(1401186080.906:9846): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-opensuse" name="/proc/" pid=4158 comm="mount" flags="rw, remount" the second one (/proc) is pretty harmless, so I ignored it. The first one (/var/run) produced lots of errors [FAILED] Failed to mount Runtime Directory. See 'systemctl status var-run.mount' for details. [DEPEND] Dependency failed for System Logging Service. Mounting Runtime Directory... ... and made syslog (and possibly other services) failed to start, so for opensuse I had to adjust the profile even further ### profile lxc-container-opensuse flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> deny mount fstype=devpts, mount options=(none,name=systemd) fstype=cgroup -> /sys/fs/cgroup/systemd/, mount options=(rw,bind), } ### Bind mounts inside a container should be safe, right? While there are still some problems with opensuse container (e.g. shutdown takes a long time on "systemctl stop network@eth0.service"), it is at least usable for testing purposes. -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users