[FFE] use per-container apparmor profiles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
The current lxc package uses a single profile for all containers. Because of the way this is implemented, administrators cannot customize a policy for a special container (without copying /usr/bin/lxc-start to a new container-specific /usr/bin/
Additionally, the default policy cannot at the same time clamp down on cgroup access by the container (to prevent it escaping its device list access, for instance) and allow nested lxc/libvirt (which requires cggroup modification of the container's child cgroups).
I believe this will not be sufficient for administrators. Therefore I think we should:
1. update lxc-create to have a '--apparmor <file>' argument to specify a custom profile.
2. have lxc-create use a default policy (in /etc/lxc/
3. edit lxc-start and lxc-execute to manually enter the container's policy as specified by lxc.apparmor line in the configuration file, or a stock one if unspecified.
4. edit lxc-clone and lxc-start-ephemeral to do the right thing.
Related branches
Changed in lxc (Ubuntu): | |
importance: | Undecided → High |
Status changed to 'Confirmed' because the bug affects multiple users.