Comment 3 for bug 1811248
Revision history for this message
| Seth Arnold (seth-arnold) wrote Re: [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
On Fri, Jan 11, 2019 at 02:36:30AM -0000, km wrote:
> profile=
>
> profile lxc-container-
> #include <abstractions/
>
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> deny mount fstype=devpts,
> mount fstype=cgroup -> /sys/fs/cgroup/**,
> mount fstype=cgroup2 -> /sys/fs/cgroup/**,
> }
Thanks.
> > flags are being used by the mount(2) system call that's failed
>
> Pardon my ignorance as not being sure what you are asking here. I
> thought it was obvious from the log
>
> pid=8426 comm="(networkd)" flags="rw, rslave"
It's my ignorance here -- I don't know if AppArmor's log message is
sufficient to reconstruct the actual mount() syscall that the process
has performed -- and I don't know if the extra parameters that may be
in the syscall are important or not.
If you could catch the mount() syscall with strace that'd be beautiful.
Thanks