From f02ce27d4b1a9d01b88d0ffaf626e5bafa671bf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 29 Aug 2012 09:27:53 -0700 Subject: [PATCH] Add lxc.aa_profile example to all templates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit LXC has optional apparmor support, default profile is lxc-container-default. This change adds a commented "lxc.aa_profile = default" line to all templates, uncommenting this will bypass apparmor for the container. Signed-off-by: Stéphane Graber --- templates/lxc-altlinux.in | 4 ++++ templates/lxc-archlinux.in | 4 ++++ templates/lxc-busybox.in | 3 +++ templates/lxc-debian.in | 4 ++++ templates/lxc-fedora.in | 4 ++++ templates/lxc-lenny.in | 4 ++++ templates/lxc-opensuse.in | 3 +++ templates/lxc-sshd.in | 4 ++++ templates/lxc-ubuntu-cloud.in | 3 +++ templates/lxc-ubuntu.in | 3 +++ 10 files changed, 36 insertions(+) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 35407d0db..2d2274a33 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -245,6 +245,10 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs_path lxc.mount = $config_path/fstab + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + #networking lxc.network.type = $lxc_network_type lxc.network.flags = up diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in index 095880a49..18ec0642d 100644 --- a/templates/lxc-archlinux.in +++ b/templates/lxc-archlinux.in @@ -224,6 +224,10 @@ lxc.tty=4 lxc.pts=1024 lxc.rootfs=${rootfs_path} lxc.mount=${config_path}/fstab + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + #networking lxc.network.type=${lxc_network_type} lxc.network.flags=up diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index ef356dbfd..2cdc3d170 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -233,6 +233,9 @@ lxc.utsname = $name lxc.tty = 1 lxc.pts = 1 lxc.rootfs = $rootfs + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined EOF if [ -d "$rootfs/lib" ]; then diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 9f200f1c8..aebd78d22 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -205,6 +205,10 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs lxc.utsname = $hostname + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index a8fb8ea5a..447c71627 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -237,6 +237,10 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs_path lxc.mount = $config_path/fstab + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + #networking lxc.network.type = $lxc_network_type lxc.network.flags = up diff --git a/templates/lxc-lenny.in b/templates/lxc-lenny.in index 70a19f344..cdc67bab8 100644 --- a/templates/lxc-lenny.in +++ b/templates/lxc-lenny.in @@ -183,6 +183,10 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs lxc.cgroup.devices.deny = a + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 6d81cf5d9..d728af312 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -262,6 +262,9 @@ lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index 89d9b61b0..e72988c90 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -101,6 +101,10 @@ cat <> $path/config lxc.utsname = $name lxc.pts = 1024 lxc.rootfs = $rootfs + +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + lxc.mount.entry=/dev dev none ro,bind 0 0 lxc.mount.entry=/lib lib none ro,bind 0 0 lxc.mount.entry=/bin bin none ro,bind 0 0 diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 8f73955c6..1d3ed8392 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -57,6 +57,9 @@ lxc.arch = $arch lxc.cap.drop = sys_module mac_admin lxc.pivotdir = lxc_putold +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + lxc.cgroup.devices.deny = a # Allow any mknod (but not using the node) lxc.cgroup.devices.allow = c *:* m diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 35b2dc169..426d722cf 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -315,6 +315,9 @@ lxc.arch = $arch lxc.cap.drop = sys_module mac_admin mac_override lxc.pivotdir = lxc_putold +# When using LXC with apparmor, uncomment the next line to run unconfined: +#lxc.aa_profile = unconfined + lxc.cgroup.devices.deny = a # Allow any mknod (but not using the node) lxc.cgroup.devices.allow = c *:* m