On Sat, Oct 27, 2018 at 09:11:26PM +0200, Christian Brauner wrote:
> On Fri, Oct 26, 2018 at 02:37:56PM -0600, Stéphane Graber wrote:
> > On Fri, Oct 26, 2018 at 2:32 PM intrigeri <intrig...@debian.org> wrote:
> > >
> > > Hi Stéphane!
> > >
> > > Stéphane Graber:
> > > > AppArmor namespacing support similar to what's done by LXD has been
> > > > contributed to upstream LXC by Wolfgang Bumiller.
> > >
> > > Good news, thanks!
> > >
> > > > It's however a pretty complex new features which introduces new config
> > > > options, so we won't be backporting it to stable releases.
> > >
> > > Any chance the release branch that has this feature (presumably 3.x)
> > > becomes stable by the end of the year?
> >
> > That'd be a question for Christian I think as he'd be the one doing
> > maintenance on it.
> >
> > I think we were aiming towards February-ish originally but there's no
> > real reason to wait that long either, so if Christian isn't waiting
> > for some big changes to land before doing a non-LTS feature release,
> > we should be able to tag one next month.
>
> That is doable, yes! :)
>
> >
> > It'd be worth someone make sure that current master with the apparmor
> > work that was done by Wolfgang will do the right thing out of the box
> > though, otherwise that wouldn't really achieve a whole lot.
>
> I agree. If someone could verify this works it would be perfect.
> Ccing Wolfgang too.
Sorry for the delay...
Looks like additional unit sandboxing features have been added, I guess.
The test suite seems to go through a whole bunch of mount option
combinations here, and outside that, systemd-netword seems to make use
of some of them.
I can get the test-suite to not abort by using the following config in,
tested with an unprivileged container on buster with the apparmor
patches cherry-picked into the 3.0.2 tag.
(Though I cannot really decipher whether the output is generally good
or bad now ;-) )
lxc.apparmor.profile = generated
lxc.apparmor.raw = mount options=(ro,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount options=(ro,nodev,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount options=(ro,nodev,strictatime,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount options=(ro,nosuid,noexec,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount options=(ro,nosuid,nodev,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount options=(ro,nosuid,nodev,noexec,remount,bind) ->
/run/systemd/unit-root/**/,
lxc.apparmor.raw = mount
options=(ro,nosuid,nodev,noexec,strictatime,remount,bind) ->
/run/systemd/unit-root/**/,
This is where I wish `options=()` had forced and optional flags.
It does seem to make sense to allow this in
/etc/apparmor.d/abstractions/lxc/container-base as well I think.
We already have a `ro,remount,bind` rule for `profile=generated` (coming
from lxd) which we could take over into container-base as well.
It's one of those long generated chains of ``all paths except /proc,
/sys, /dev`` rules.
I'm not sure whether we want to just add the above rules or multiply
those generated list by all combinations of nodev, nosuid, noexec,
strictatime. At least as long as `ro,remount,bind` are also in there it
seems fine.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
