thanks for your rapid reply.
sorry, i'm newbie to appamor
1. what i should do is to create a appamor policy for /usr/lib/libvirt/libvirt_lxc or anything else?
2. how can i do per-container apparmor policies
3. could i refer below appamor policy for lxc
root@superstack:~# cat /etc/apparmor.d/lxc/lxc-default
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
}
thanks for your rapid reply.
sorry, i'm newbie to appamor
1. what i should do is to create a appamor policy for /usr/lib/ libvirt/ libvirt_ lxc or anything else? d/lxc/lxc- default d/lxc-container s, which
2. how can i do per-container apparmor policies
3. could i refer below appamor policy for lxc
root@superstack:~# cat /etc/apparmor.
# Do not load this file. Rather, load /etc/apparmor.
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container- default flags=( attach_ disconnected, mediate_ deleted) {
network,
capability,
file,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
# allow bind mount of /lib/init/fstab for lxcguest fstab.lxc/ -> /lib/init/fstab/,
mount options=(rw, bind) /lib/init/
# deny writes in /proc/sys/fs but allow fusectl to be mounted fs/binfmt_ misc/,
mount fstype=binfmt_misc -> /proc/sys/
deny @{PROC}/sys/fs/** wklx,
# block some other dangerous paths /sysrq- trigger rwklx, /sys/kernel/ [^s][^h] [^m]* wklx, /sys/kernel/ */** wklx,
deny @{PROC}
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}
deny @{PROC}
# deny writes in /sys except for /sys/fs/cgroup, also allow fuse/connection s/, security/ , ureadahead/ debugfs/ ,
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/
mount fstype=securityfs -> /sys/kernel/
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
}