There's currently no way in the AppArmor policy language to allow the getattr operation on the passed in /dev/pts/12 file. The typical workaround of adding the attach_disconnected flag to the profile does not work here because *every* AppArmor profile inside of the container would need that flag.
John Johansen has an AppArmor feature thought-out that would allow the policy language to allow this fd passing between namespaces but it is a sizeable feature and is not on the immediate roadmap. I haven't had a chance to think it through very much but I'm curious if the LXD developers have any ideas on how this can be solved in LXD. Maybe it is possible to call openpty() from inside the container's namespace? I'm not sure if that would work or if it is safe to do but maybe it is worth investigating. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1641236 Title: Confined processes inside container cannot fully access host pty device passed in by lxc exec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1641236/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
