Quoting Lawrance (liuq...@windawn.com): > thanks for your rapid reply. > sorry, i'm newbie to appamor > > 1. what i should do is to create a appamor policy for > /usr/lib/libvirt/libvirt_lxc or anything else?
libvirt_lxc sets up the container which requires much more privilege than the container itself should have. In the lxc package, the program which starts the container (equivalent of /usr/lib/libvirt/libvirt_lxc) enters a temporary domain automatically when it starts, then right before it executes /sbin/init in the container the code is changed to manually enter the container's domain. > 2. how can i do per-container apparmor policies > 3. could i refer below appamor policy for lxc > root@superstack:~# cat /etc/apparmor.d/lxc/lxc-default The policy itself should be a good start for the restrictions you'll want on containers. However, libvirt already has a sophisticated security module infrastructure which should probably be extended for libvirt-lxc. For a temporary custom solution, it may be possible to create a domain based upon /etc/apparmor.d/usr.bin.lxc-start, which modified to automatically switch to /etc/apparmor.d/lxc/lxc-default on executing /sbin/init. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1088295 Title: lxc container can control other container's cpu share,memory limit,or access of block and character devices To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1088295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs