Comment 4 for bug 1244635

Hi Stéphane,

I can see at least three ways of escaping.

The first is using LXC through libvirt. I see that there's an Apparmor profile for usr.bin.lxc-start, but AFAIK libvirt does not use lxc-start. Also, libvirt does not load the "lxc-containers" profile (AFAIK).

This is proven by the fact that `cat /sys/kernel/security/apparmor/profiles` does not fail when done from within my LXC+libvirt guest.

Also, reading /etc/apparmor.d/abstractions/lxc/container-base I see that there are many deny rules, but you are missing at least two: /sys/kernel/uevent_helper and /sys/class/mem/null/uevent. See http://blog.bofh.it/debian/id_413 for a way for escaping using these two files.

Finally, while there are rules that deny read and writes to /sys, but there are no rules that deny me to e.g. `mount -t sysfs sysfs /tmp/sys` or bind-mount /sys to an another location. (I'm not sure about this point because, you know, I'm using libvirt and I cannot test.)