Commit Graph

8 Commits

Author SHA1 Message Date
Jamie Strandboge
807f4c9e1e apparmor: restrict signal and ptrace for processes
Restrict signal and ptrace for processes running under the container
profile. Rules based on AppArmor base abstraction. Add unix rules for
processes running under the container profile.

Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-09-29 12:40:52 -04:00
Jesse Tane
f2f545857c Apparmor: allow hugetlbfs mounts everywhere
Signed-off-by: Jesse Tane <jesse.tane@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-06-30 17:06:52 -04:00
Serge Hallyn
773bd28258 apparmor: allow writes to sem* and msg* sysctls
/proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls
which are properly namespaced.  Allow writes to them from
containers.

Reported-by: Dan Kegel <dank@kegel.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-04-29 16:45:16 -05:00
Stéphane Graber
2a31251cc5 apparmor: Update profiles for current upstream parser
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-04-04 17:45:35 -04:00
Serge Hallyn
94a77f3fd8 apparmor: deny writes to most of /proc/sys (v2)
Allow writes to kernel.shm*, net.*, kernel/domainname and
kernel/hostname,

Also fix a bug in the lxc-generate-aa-rules.py script in a
path which wasn't being exercised before, which returned a
path element rather than its child.

Changelog (v2): remove trailing / from block path

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-04-02 09:54:54 -05:00
Serge Hallyn
198b363fff apparmor: auto-generate the blacklist rules
This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.

Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.

With this policy, libvirt in a container is able to start its
default network, which previously it could not.

v2: address feedback from stgraber
	  put lxc-generate-aa-rules.py into EXTRA_DIST
	  add lxc-test-apparmor, container-base and container-rules to .gitignore
	  take lxc-test-apparmor out of EXTRA_DIST
	  make lxc-generate-aa-rules.py pep8-compliant
	  don't automatically generate apparmor rules
	  This is only bc we can't be guaranteed that python3 will be
	  available.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-04-01 13:49:43 -04:00
Serge Hallyn
c08a0b7c4e cgmanager: container-base apparmor abstraction: allow mount move
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-02-03 15:17:43 -06:00
Stéphane Graber
8da250dad4 apparmor: Add profiles
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-01-16 17:49:23 -05:00