On 2014/9/12 22:22, Serge Hallyn wrote: > Quoting Weng Meiling ([email protected]): >> Hi guys, >> >> I want to use apparmor to do some limits on container, but I can't success. >> >> my environment: >> >> template: suse template >> >> lxc: 1.0.0.beta1 //build with apparmor enable >> >> apparmor: >> # rpm -qa | grep apparmor >> apparmor-dbus-2.3-3.22 >> libapparmor1-2.5.1.r1445-55.57.47 >> yast2-apparmor-2.17.12-0.5.73 >> perl-apparmor-2.5.1.r1445-55.57.47 >> apparmor-utils-2.5.1.r1445-55.57.47 >> apparmor-profile-editor-0.9.1-268.35 >> libapparmor1-32bit-2.5.1.r1445-55.57.47 >> apparmor-profiles-2.5.1.r1445-52.55.1 >> apparmor-admin_en-10.3-8.24.1 >> apparmor-docs-2.5.1.r1445-55.57.47 >> apparmor-parser-2.5.1.r1445-55.57.47 >> apparmorapplet-gnome-0.9-81.16.57 >> libapparmor-devel-2.5.1.r1445-55.57.47 >> >> kernel: >> upstream 3.4 kernel and 3.16 kernel >> >> # cat config | grep APPARMOR >> CONFIG_SECURITY_APPARMOR=y >> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 >> CONFIG_SECURITY_APPARMOR_COMPAT_24=y >> CONFIG_DEFAULT_SECURITY_APPARMOR=y >> >> # cat /sys/module/apparmor/parameters/enabled >> Y > > What does /sys/kernel/security/apparmor/features/mount/mask show? >
Thanks for quick reply! the file content: # cat /sys/kernel/security/apparmor/features/mount/mask mount umount > That depends on some new apparmor features still making their > way upstream. > > The current behavior when these are missing is not right, but hasn't > yet been fixed. We should either fail the container startup, clearly > warning the user that the full apparmor profile wouldn't have been > enabled, or we should warn the user (which will likely get lost) and > go ahead and load the apparmor profile. > > Well, or better, we could scan the apparmor profile for features which > would require the mount feature. I'm not quite sure whether that's > possible though. > > -serge > > . > _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
