Right, libvirt-lxc isn't LXC (even though they sort of stole the name) and is indeed completely unsafe...
As for the rest, I'm happy to report that you misread the apparmor profile and that we thought of and blocked all of those from the beginning as is shown below: root@lxc-dev:/# echo abc > /sys/kernel/uevent_helper bash: /sys/kernel/uevent_helper: Permission denied root@lxc-dev:/# echo abc > /sys/class/mem/null/uevent bash: /sys/class/mem/null/uevent: Permission denied root@lxc-dev:/# mount -t sysfs syfs /mnt mount: block device syfs is write-protected, mounting read-only mount: cannot mount block device syfs read-only root@lxc-dev:/# mount --bind /sys /mnt mount: block device /sys is write-protected, mounting read-only mount: cannot mount block device /sys read-only -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244635 Title: setuid executables in a container may compromise security on the host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1244635/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
