[Bug 1373555] Re: please restrict signal, ptrace and unix mediation to the container

[Jamie Strandboge]

Here is the debdiff. It works with the testing as outlined in
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only
(see the lxc section). This is not comprehensive so I am hoping an lxc
maintainer can run this through its paces. Also, I made no changes to
start-container cause I wasn't sure the benefit it would provide there.
Feel free to apply the types of rules made to container-base to start-
container. The debdiff updates rules a little, and tested that it dtrt
when building on trusty.

** Patch added: "lxc_1.1.0~alpha1-0ubuntu5.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1373555/+attachment/4213972/+files/lxc_1.1.0%7Ealpha1-0ubuntu5.debdiff

** Description changed:

  Right now the container policy uses bare rules for ptrace and signal. We
  should refine these rules to be container specific and add unix rules to
- do the same.
+ do the same. Obviously, namespaces are intended to block these accesses
+ in and of themselves, but this add an incremental improvement and
+ security in depth in case something goes wrong there.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1373555

Title:
  please restrict signal, ptrace and unix mediation to the container

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1373555/+subscriptions