Ubuntu
lxc package

Merge lp:~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt into lp:~ubuntu-branches/ubuntu/trusty/lxc/trusty

  1. Trusty (14.04)
  2. lxc.aa-libvirt
  3. Merge into trusty
Proposed by Serge Hallyn
Status: Needs review
Proposed branch: lp:~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt
Merge into: lp:~ubuntu-branches/ubuntu/trusty/lxc/trusty
Diff against target: 36 lines (+17/-1)
2 files modified
debian/apparmor/abstractions-lxc-container-base (+7/-1)
debian/changelog (+10/-0)
To merge this branch: bzr merge lp:~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt
Reviewer Review Type Date Requested Status
Stéphane Graber Pending
Review via email: mp+193622@code.launchpad.net

Description of the change

Allow write access under /sys/class/net and /sys/device/virtual/net. Otherwise libvirt is unable to create virbr0.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

FWIW, looks good to me. AppArmor needs a better way to express this.

Thanks

Reply
Revision history for this message
Stéphane Graber (stgraber) wrote :

Looks good to me, it's just annoying that we need to use those regexps and that any addition of a new /sys entry may go uncontained because of this but oh well, not much choice just now...

Reply
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Stéphane Graber (<email address hidden>):
> Looks good to me, it's just annoying that we need to use those regexps and that any addition of a new /sys entry may go uncontained because of this but oh well, not much choice just now...

Thanks for looking it over.

I wonder whether it would be worthwhile to build our own parser which
takes simpler list of paths we want to allow, and builds deny regexes
to put into policy? Because f we need to allow one or two more paths,
it'll become unreadable as is.

Reply

Unmerged revisions

308. By Serge Hallyn

debian/apparmor/abstractions-lxc-container-base: allow writes to
/sys/class/net/*and /sys/devices/virtual/net/**. This is to allow
libvirt to set ip_forward on virbr0 which it creates. Note this is
safe because the container has it's own private view of those
directories.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/apparmor/abstractions-lxc-container-base'
2--- debian/apparmor/abstractions-lxc-container-base 2013-10-10 16:58:51 +0000
3+++ debian/apparmor/abstractions-lxc-container-base 2013-11-01 15:46:14 +0000
4@@ -40,7 +40,13 @@
5 deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
6 mount fstype=proc -> /proc/,
7 mount fstype=sysfs -> /sys/,
8- deny /sys/[^f]*/** wklx,
9+ # only allow /sys/class/net; /sys/devices/virtual/net; and /sys/fs.
10+ deny /sys/[^cdf]*/** wklx,
11+ # /sys/c* is only /sys/class; we only want /sys/class/net allowed
12+ deny /sys/class/[^n]*/** wklx,
13+ deny /sys/dev/** wklx,
14+ deny /sys/devices/[^v]*/** wklx,
15+ deny /sys/devices/virtual/[^n]*/** wklx,
16 deny /sys/f[^s]*/** wklx,
17 deny /sys/fs/[^c]*/** wklx,
18 deny /sys/fs/c[^g]*/** wklx,
19
20=== modified file 'debian/changelog'
21--- debian/changelog 2013-10-29 16:15:27 +0000
22+++ debian/changelog 2013-11-01 15:46:14 +0000
23@@ -1,3 +1,13 @@
24+lxc (1.0.0~alpha2-0ubuntu6) UNRELEASED; urgency=low
25+
26+ * debian/apparmor/abstractions-lxc-container-base: allow writes to
27+ /sys/class/net/** and /sys/devices/virtual/net/**. This is to allow
28+ libvirt to set ip_forward on virbr0 which it creates. Note this is
29+ safe because the container has it's own private view of those
30+ directories.
31+
32+ -- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 01 Nov 2013 10:40:00 -0500
33+
34 lxc (1.0.0~alpha2-0ubuntu5) trusty; urgency=low
35
36 [ Serge Hallyn]

Subscribers

People subscribed via source and target branches

to all changes: