Ubuntu
lxc package

update apparmor profile to restrict mounts

Bug #942934 reported by Serge Hallyn
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Serge Hallyn

Bug Description

The default lxc-start policy should place the following restrictions on mounts (among others):

    1. procfs may only be mounted under /proc
    2. devpts may not be mounted
    3. sys may only be mounted at /sys
    4. cgroups either
       a. not mountable or
       b. mounted under /sys/fs/cgroup, with write restrictions outside of
          /sys/fs/cgroup/*/<container-init-cgroup>/. I don't know if that
          is doable without making per-container policies.
    5. securityfs not mountable
    6. debufs not mountable (for now)
    7. binfmt_misc not mountable

Related branches

lp:ubuntu/precise/lxc
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Serge Hallyn (serge-hallyn)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu41

---------------
lxc (0.7.5-3ubuntu41) precise; urgency=low

  * add lxc-shutdown command:
    - 0060-lxc-shutdown: add the command to the source
    - debian/lxc.upstart: use lxc-shutdown to shut down containers cleanly
    - debian/lxc.default: add LXC_SHUTDOWN_TIMEOUT (default 120s)
  * support per-container apparmor policies: (LP: #953453)
    - 0061-lxc-start-apparmor: add lxc.aa_profile to config file. If not
      specified, lxc-default profile is used for container. Otherwise, the
      specified profile is used.
      Note that per-container profiles must be named 'lxc-*'.
    - split debian/lxc-default.apparmor from debian/lxc.apparmor.
    - have /etc/apparmor.d/lxc-containers #include /etc/apparmor.d/lxc/*
    - debian/lxc.postinst: load the new lxc-containers profiles
    - debian/lxc.postrm: remove lxc-containers profiles
    - debian/rules: make new etc/apparmor.d/lxc dir and copy lxc-default into it
    - debian/control: add libapparmor-dev to build-depends
    - debian/lxc.upstart: load apparmor per-container policies at pre-start.
  * debian/lxc.apparmor: insert the stricter mount rules for lxc-start
    (LP: #645625) (LP: #942934)
  * debian/local/lxc-start-ephemeral: re-enable aufs option (LP: #960262)
  * replace upstream lxc-wait with our own bash script (LP: #951181)
    - debian/local/lxc-wait: the script
    - debian/rules: copy the script into place
  * 0062-templates-relative-paths: update templates to use relative paths,
    and make lxc-start always accept /var/lib/lxc/CN/rootfs as target prefix,
    to make lvm containers work. (LP: #960860)
 -- Serge Hallyn <email address hidden> Wed, 21 Mar 2012 08:20:06 -0500

Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.