Hi all,
Here are 2 patches fixing AppArmor profiles for lxc containers. The main problem was
that the current profile was:
1/ too restricting as it needed to allow all needed applications
2/ used PUx permissions, which made systemd (or bash) run as unprofiled as they
have no profiles defined.
The new profile is based on container-default profile shipped for lxc on Ubuntu.
All applications are now running under the parent profile (ix permission) and some
critical files accesses are denied.
The first patch also avoid writing the useless libvirt-UUID.files for lxc containers.
Cédric Bosdonnat (2):
Don't output libvirt-UUID.files for LXC apparmor profiles
Rework lxc apparmor profile
examples/apparmor/Makefile.am | 6 +-
examples/apparmor/TEMPLATE.lxc | 15 ++++
examples/apparmor/{TEMPLATE => TEMPLATE.qemu} | 2 +-
examples/apparmor/libvirt-lxc | 119 +++++++++++++++++++++++---
src/security/security_apparmor.c | 20 +++--
src/security/virt-aa-helper.c | 32 ++-----
6 files changed, 150 insertions(+), 44 deletions(-)
create mode 100644 examples/apparmor/TEMPLATE.lxc
rename examples/apparmor/{TEMPLATE => TEMPLATE.qemu} (75%)
--
1.8.4.5