The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/3884
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
mem and kmem are really in /dev, and they're not propagated into lxd
containers, privileged or otherwise anyways, so these are useless.
Signed-off-by: Tycho Andersen <ty...@tycho.ws>
From d9bec3c1e4430caa025f91bd32908a0b9ce46375 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <ty...@tycho.ws>
Date: Mon, 2 Oct 2017 16:53:57 -0600
Subject: [PATCH] drop useless apparmor denies
mem and kmem are really in /dev, and they're not propagated into lxd
containers, privileged or otherwise anyways, so these are useless.
Signed-off-by: Tycho Andersen <ty...@tycho.ws>
---
lxd/apparmor.go | 2 --
1 file changed, 2 deletions(-)
diff --git a/lxd/apparmor.go b/lxd/apparmor.go
index f2920f421..9c018491d 100644
--- a/lxd/apparmor.go
+++ b/lxd/apparmor.go
@@ -80,8 +80,6 @@ const AA_PROFILE_BASE = `
# block some other dangerous paths
deny @{PROC}/kcore rwklx,
- deny @{PROC}/kmem rwklx,
- deny @{PROC}/mem rwklx,
deny @{PROC}/sysrq-trigger rwklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
