[FFE] use per-container apparmor profiles

Bug #953453 reported by Serge Hallyn on 2012-03-12
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
High
Unassigned

Bug Description

The current lxc package uses a single profile for all containers. Because of the way this is implemented, administrators cannot customize a policy for a special container (without copying /usr/bin/lxc-start to a new container-specific /usr/bin/lxc-start-mycontainer, which could then have its own policy).

Additionally, the default policy cannot at the same time clamp down on cgroup access by the container (to prevent it escaping its device list access, for instance) and allow nested lxc/libvirt (which requires cggroup modification of the container's child cgroups).

I believe this will not be sufficient for administrators. Therefore I think we should:

1. update lxc-create to have a '--apparmor <file>' argument to specify a custom profile.
2. have lxc-create use a default policy (in /etc/lxc/lxc.apparmor) by default
3. edit lxc-start and lxc-execute to manually enter the container's policy as specified by lxc.apparmor line in the configuration file, or a stock one if unspecified.
4. edit lxc-clone and lxc-start-ephemeral to do the right thing.

Related branches

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Changed in lxc (Ubuntu):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu41

---------------
lxc (0.7.5-3ubuntu41) precise; urgency=low

  * add lxc-shutdown command:
    - 0060-lxc-shutdown: add the command to the source
    - debian/lxc.upstart: use lxc-shutdown to shut down containers cleanly
    - debian/lxc.default: add LXC_SHUTDOWN_TIMEOUT (default 120s)
  * support per-container apparmor policies: (LP: #953453)
    - 0061-lxc-start-apparmor: add lxc.aa_profile to config file. If not
      specified, lxc-default profile is used for container. Otherwise, the
      specified profile is used.
      Note that per-container profiles must be named 'lxc-*'.
    - split debian/lxc-default.apparmor from debian/lxc.apparmor.
    - have /etc/apparmor.d/lxc-containers #include /etc/apparmor.d/lxc/*
    - debian/lxc.postinst: load the new lxc-containers profiles
    - debian/lxc.postrm: remove lxc-containers profiles
    - debian/rules: make new etc/apparmor.d/lxc dir and copy lxc-default into it
    - debian/control: add libapparmor-dev to build-depends
    - debian/lxc.upstart: load apparmor per-container policies at pre-start.
  * debian/lxc.apparmor: insert the stricter mount rules for lxc-start
    (LP: #645625) (LP: #942934)
  * debian/local/lxc-start-ephemeral: re-enable aufs option (LP: #960262)
  * replace upstream lxc-wait with our own bash script (LP: #951181)
    - debian/local/lxc-wait: the script
    - debian/rules: copy the script into place
  * 0062-templates-relative-paths: update templates to use relative paths,
    and make lxc-start always accept /var/lib/lxc/CN/rootfs as target prefix,
    to make lvm containers work. (LP: #960860)
 -- Serge Hallyn <email address hidden> Wed, 21 Mar 2012 08:20:06 -0500

Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers