Public bug reported:
The current lxc package uses a single profile for all containers.
Because of the way this is implemented, administrators cannot customize
a policy for a special container (without copying /usr/bin/lxc-start to
a new container-specific /usr/bin/lxc-start-mycontainer, which could
then have its own policy).
Additionally, the default policy cannot at the same time clamp down on
cgroup access by the container (to prevent it escaping its device list
access, for instance) and allow nested lxc/libvirt (which requires
cggroup modification of the container's child cgroups).
I believe this will not be sufficient for administrators. Therefore I
think we should:
1. update lxc-create to have a '--apparmor <file>' argument to specify a custom
profile.
2. have lxc-create use a default policy (in /etc/lxc/lxc.apparmor) by default
3. edit lxc-start and lxc-execute to manually enter the container's policy as
specified by lxc.apparmor line in the configuration file, or a stock one if
unspecified.
4. edit lxc-clone and lxc-start-ephemeral to do the right thing.
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/953453
Title:
[FFE] use per-container apparmor profiles
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/953453/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
