mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-25 11:46:34 +00:00

History

Wolfgang Bumiller e6ec0a9e71 apparmor: allow various remount,bind options RW bind mounts need to be restricted for some paths in order to avoid MAC restriction bypasses, but read-only bind mounts shouldn't have that problem. Additionally, combinations of 'nosuid', 'nodev' and 'noexec' flags shouldn't be a problem either and are required with newer systemd versions, so let's allow those as long as they're combined with 'ro,remount,bind'. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>		2018-11-16 12:17:30 +01:00
..
abstractions	apparmor: allow various remount,bind options	2018-11-16 12:17:30 +01:00
profiles	apparmor: update current profiles	2018-07-25 12:13:17 +02:00
container-rules	apparmor: allow writes to sem* and msg* sysctls	2014-04-29 16:45:16 -05:00
container-rules.base	apparmor: allow writes to sem* and msg* sysctls	2014-04-29 16:45:16 -05:00
lxc-containers	apparmor: Add profiles	2014-01-16 17:49:23 -05:00
lxc-generate-aa-rules.py	Use /usr/bin/env python3 instead of /usr/bin/python3 project-wide	2015-11-10 15:53:33 -05:00
Makefile.am	apparmor: account for specified rootfs path (closes #2617 )	2018-09-20 15:56:05 -07:00
README	apparmor: auto-generate the blacklist rules	2014-04-01 13:49:43 -04:00
usr.bin.lxc-start	apparmor: Add profiles	2014-01-16 17:49:23 -05:00

README

The abstractions/container-base file is partially automatically
generated.  The two source files are container-rules.base and
abstractions/container-base.in.  If these file are updated,
then

1. Generate a new container-rules file using

./lxc-generate-aa-rules.py container-rules.base > container-rules

2. Concatenate container-base.in with container-rules using

cat abstractions/container-base.in container-rules > abstractions/container-base