proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 04:09:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add lxc-default-cgns profile

Browse Source 
This isn't safe for privileged containers which do not use cgroup
namespaces, but is required for systemd containers with cgroup
namespaces.  So create a new profile for it which lxc will use as
the default when it knows it can.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Serge Hallyn 2016-02-21 15:38:11 -08:00
parent 82d97f8765
commit dc76ac7ab5
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/apparmor/Makefile.am
View File

@ -7,6 +7,7 @@ EXTRA_DIST = \
lxc-containers \ lxc-containers \
lxc-generate-aa-rules.py \ lxc-generate-aa-rules.py \
profiles/lxc-default \ profiles/lxc-default \
profiles/lxc-default-cgns \
profiles/lxc-default-with-mounting \ profiles/lxc-default-with-mounting \
profiles/lxc-default-with-nesting \ profiles/lxc-default-with-nesting \
usr.bin.lxc-start usr.bin.lxc-start
@ -20,6 +21,7 @@ install-apparmor:
$(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ $(INSTALL_DATA) abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ $(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
$(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ $(INSTALL_DATA) profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ $(INSTALL_DATA) profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ $(INSTALL_DATA) profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
$(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/ $(INSTALL_DATA) lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
@ -30,6 +32,7 @@ uninstall-apparmor:
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base

12
config/apparmor/profiles/lxc-default-cgns Normal file
View File

@ -0,0 +1,12 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
}