mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-07-14 15:43:35 +00:00
773bd28258
/proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls which are properly namespaced. Allow writes to them from containers. Reported-by: Dan Kegel <dank@kegel.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
16 lines
480 B
Plaintext
16 lines
480 B
Plaintext
# Run lxc-generate-aa-rules.py on this file after any modification, to generate
|
|
# the container-rules file which is appended to container-base.in to create the
|
|
# final abstractions/container-base.
|
|
|
|
block /sys
|
|
allow /sys/fs/cgroup/**
|
|
allow /sys/devices/virtual/net/**
|
|
allow /sys/class/net/**
|
|
block /proc/sys
|
|
allow /proc/sys/kernel/shm*
|
|
allow /proc/sys/kernel/sem*
|
|
allow /proc/sys/kernel/msg*
|
|
allow /proc/sys/kernel/hostname
|
|
allow /proc/sys/kernel/domainname
|
|
allow /proc/sys/net/**
|