> On December 16, 2018 at 7:47 PM intrigeri <intrig...@boum.org> wrote:
> (...)
> > Looks like additional unit sandboxing features have been added, I guess.
>
> My understanding is: it's not about new unit sandboxing features but
> rather that before systemd v240, failure to set up these sandboxing
> features used to be non-fatal (so units would not benefit from
> systemd's sandboxing features but at least they would start).
Sounds like it would be useful for systemd to make such behavior depend
on whether it can detect containerization with the option to explicitly
configure this via /etc/systemd/system.conf. I'd certainly want to
be *able* to enforce sandboxing in some scenarios, whereas in others I
find the unprivileged container sufficient.
> (...)
> For avoidance of doubt: I assume "the apparmor patches" means
> 434381b00..e7311a84e from lxc upstream Git master branch minus those
> that are already in the 3.0 branch, so: 1800f92 and e7311a84.
I think for the most part this one should do:
e6ec0a9e71aa ("apparmor: allow various remount,bind options")
It touches changes made by the commits you referenced above and
therefore causes conflicts in apparmor.c (which is responsible for the
`profile=generated` setting), which can be dropped. The important part
for 3.0 should be the profile changes.
>
> > (Though I cannot really decipher whether the output is generally good
> > or bad now ;-) )
> > lxc.apparmor.profile = generated
> > lxc.apparmor.raw = mount options=(ro,remount,bind) ->
> > /run/systemd/unit-root/**/,
I have a feeling that in the future we might need to add some more
combinations of mount options. (The above patch adds this plus combinations
of nosuid,nodev,noexec).
I hope some day apparmor can have an equivalent of doing
`options=( all(ro,remount,bind) + any(nosuid,nodev,noexec,foo,bar,baz,...) )`
(I think I saw a denied for a remount,strictatime at some point, but I don't
recall if that was systemd, and the container didn't really fail)
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
