[Bug 942934] [NEW] update apparmor profile to restrict mounts
Serge Hallyn
942934 at bugs.launchpad.net
Tue Feb 28 22:43:28 UTC 2012
Public bug reported:
The default lxc-start policy should place the following restrictions on
mounts (among others):
1. procfs may only be mounted under /proc
2. devpts may not be mounted
3. sys may only be mounted at /sys
4. cgroups either
a. not mountable or
b. mounted under /sys/fs/cgroup, with write restrictions outside of
/sys/fs/cgroup/*/<container-init-cgroup>/. I don't know if that
is doable without making per-container policies.
5. securityfs not mountable
6. debufs not mountable (for now)
7. binfmt_misc not mountable
** Affects: lxc (Ubuntu)
Importance: High
Assignee: Serge Hallyn (serge-hallyn)
Status: Confirmed
** Changed in: lxc (Ubuntu)
Status: New => Confirmed
** Changed in: lxc (Ubuntu)
Importance: Undecided => High
** Changed in: lxc (Ubuntu)
Assignee: (unassigned) => Serge Hallyn (serge-hallyn)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/942934
Title:
update apparmor profile to restrict mounts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/942934/+subscriptions
More information about the Ubuntu-server-bugs
mailing list