Hello, On Mon, 2023-04-10 at 17:11 +0200, Romain Francoise wrote: > Hi, > > On Fri, Mar 3, 2023 at 9:45 AM Gianfranco Costamagna > <locutusofb...@debian.org> wrote: > > + # allow printing to stdout/stderr when inside a container > > + # (LP: #1667016) > > + /dev/pts/* rw, > > Thank you for reporting this issue, and the patch. While the change is > indeed trivial, giving unfettered rw access to /dev/pts/* it is a high > price to pay in terms of weakening the sandbox for an uncommon use > case. With access to /dev/pts, an attacker can access SSH sessions and > other terminals. > > Is there any way this could be fixed on the LXD side, or made more > restrictive? >
Unfortunately there's no way to make it more restrictive. Ideally we needed to at least restrict this rule to only be allowed when tcpdump is running inside a container, but this is not available on AppArmor yet. Georgia
