[Bug 1021421] [NEW] Allow fstype=fuse.*, for all containers

Stéphane Graber stgraber at stgraber.org
Thu Jul 5 18:09:13 UTC 2012 

Public bug reported:

It's been reported that quite a few juju charms require mounting fuse filesystems.
lxc-ubuntu's default template already allows access to /dev/fuse but the apparmor profile doesn't currently allow mounting these filesystems.

After discussing it with Serge, we don't think there's any additional
risk to allowing fuse filesystem mounts in the container, any concern
with fuse should be resolved by blocking /dev/fuse in the container's
config instead of preventing mounts in apparmor.

[rational]
Quite a few juju charms rely on fuse to mount some filesystems (sshfs, glusterfs, ...). These are currently blocked by apparmor even though /dev/fuse itself is allowed by default.

[test case]
1) lxc-create -t ubuntu -n p1
2) lxc-start -n p1
 2a) apt-get install sshfs
 2b) sshfs <host> <path>

2b) should succeed (would be permission denied in the past)

[regression potential]
The change is limited to allowing fstype=fuse.* in apparmor. The profile has already been tested on precise and quantal, so we know the apparmor parser will compile the profile just fine. The worst case I can see happening is some fuse filesystems not being allowed by this expression, but it'd be no worse than what we have today (none of them being allowed).

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: lxc (Ubuntu Precise)
     Importance: Wishlist
     Assignee: Stéphane Graber (stgraber)
         Status: In Progress

** Affects: lxc (Ubuntu Quantal)
     Importance: Undecided
         Status: Fix Released

** Also affects: lxc (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Changed in: lxc (Ubuntu Quantal)
       Status: New => Fix Released

** Changed in: lxc (Ubuntu Precise)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Precise)
   Importance: Undecided => Wishlist

** Changed in: lxc (Ubuntu Precise)
     Assignee: (unassigned) => Stéphane Graber (stgraber)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1021421

Title:
  Allow fstype=fuse.*, for all containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021421/+subscriptions

More information about the Ubuntu-server-bugs mailing list