And uploaded the updated ubuntu-meta.
Marking Fix released as the package is now in main.
** Changed in: lxd-agent-loader (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bug
Promoting to main now before I can update ubuntu-meta for the seed
change:
Override component to main
lxd-agent-loader 0.3 in focal: universe/admin -> main
lxd-agent-loader 0.3 in focal amd64: universe/misc/optional/100% -> main
lxd-agent-loader 0.3 in focal arm64: universe/misc/optional/100% -> m
Thanks for the extra explanations Stéphane.
Yeah I agree if it does file and exec there isn't much you can do to confine it
:-/
But hey I was +1 already and only suggesting, so we are good.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
https://code.launchpad.net/~stgraber/ubuntu-
seeds/+git/ubuntu/+merge/381171
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868572
Title:
[MIR] lxd-agent-loader
To manage notifications about this b
- "further confinement would be nice to have"
This service is used to implement both the "lxc file" set of commands and the
"lxc exec" set of commands. As such it needs to be able to read and write every
file on the system and must be allowed to spawn unconfined commands. I don't
see how either
Time for the formal review ...
[Summary]
The package is small and clean, the function is clear.
I'd be tempted to wonder about security, but you already have a security Ack.
Therefore I'm MIR-Acking this as well, as formally it seems fine to me.
There are still a few TODOs (not gating the MIR):
-
As with other such conditional services it is important that they won't consume
cycles/memory in other places. But these are safe by having
ConditionPathExists=/dev/virtio-ports/org.linuxcontainers.lxd
Thanks for that
--
You received this bug notification because you are
I understand that for the purpose what it is supposed to be doing it has
to has quite some capabilities. But essentially it is an externally
controlled data (that you mount to a known place) that is then executed
as-is.
I see that you have set the dependency to a "Requires" already which is good t
I'll do a MIR review on that later today or tomorrow morning
** Changed in: lxd-agent-loader (Ubuntu)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad
I reviewed lxd-agent-loader 0.3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
lxd-agent-loader is just 2 systemd units. As such, this package does not really
have much of an attack surface to speak of. There's no code, just 2
configu
10 matches
Mail list logo
