[Bug 953453] [NEW] [FFE] use per-container apparmor profiles
Serge Hallyn
953453 at bugs.launchpad.net
Mon Mar 12 21:47:58 UTC 2012
Public bug reported:
The current lxc package uses a single profile for all containers.
Because of the way this is implemented, administrators cannot customize
a policy for a special container (without copying /usr/bin/lxc-start to
a new container-specific /usr/bin/lxc-start-mycontainer, which could
then have its own policy).
Additionally, the default policy cannot at the same time clamp down on
cgroup access by the container (to prevent it escaping its device list
access, for instance) and allow nested lxc/libvirt (which requires
cggroup modification of the container's child cgroups).
I believe this will not be sufficient for administrators. Therefore I
think we should:
1. update lxc-create to have a '--apparmor <file>' argument to specify a custom profile.
2. have lxc-create use a default policy (in /etc/lxc/lxc.apparmor) by default
3. edit lxc-start and lxc-execute to manually enter the container's policy as specified by lxc.apparmor line in the configuration file, or a stock one if unspecified.
4. edit lxc-clone and lxc-start-ephemeral to do the right thing.
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/953453
Title:
[FFE] use per-container apparmor profiles
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/953453/+subscriptions
More information about the Ubuntu-server-bugs
mailing list