On 07/15/2014 03:02 AM, Cédric Bosdonnat wrote:
Rework the apparmor lxc profile abstraction to mimic ubuntu's
container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.
Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.
Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.
---
Diff to v2:
* Fixed missing goto cleanup
Will push shortly, based on the ack given here:
https://www.redhat.com/archives/libvir-list/2014-July/msg00745.html
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org