No, sadly one testcase - lxc-test-unpriv - still fails: Oct 28 15:33:49 lxct1 kernel: [ 2659.417204] type=1400 audit(1446046429.177:52): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/home/lxcunpriv/.local/share/lxc/c1/rootfs/dev/console" pid=23805 comm="lxc-start" srcname="/dev/console" flags="rw, bind"
(Note that running unprivileged containers by hand does work) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1509752 Title: Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch Status in lxc package in Ubuntu: Fix Released Status in lxc source package in Trusty: New Bug description: This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through 1.0.7-0ubuntu0.9 (or anything that incorporates 0003-CVE-2015-1335.patch). Basically, the limitation is obvious when using recursive bind mounts because ensure_not_symlink() only checks the last line of /proc/self/mountinfo which will be a submount so will always fail the test and trigger: ensure_not_symlink: 1413 Mount onto /usr/lib/x86_64-linux- gnu/lxc/storage resulted in /usr/lib/x86_64-linux- gnu/lxc/storage/submount, not /usr/lib/x86_64-linux-gnu/lxc/storage Sorry if this is a duplicate, I did spend quite some time trying to find a similar report. Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1509752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
