[Bug 1424154] Re: apparmor sysfs remount rejection on lxc-start
Serge Hallyn
1424154 at bugs.launchpad.net
Tue Feb 24 04:36:53 UTC 2015
Thanks for posting this bug. That rule is actually something we
specifically do not want :)
The mount (remount) being denied is by the container itself. Lxc ahead
of time had mounted /sys read-only, with /sys/class/net (which is
properly namespaced) being read-write. This is indicated in
/usr/share/lxc/config/common.conf by the 'lxc.mount.auto = sys:mixed" .
Mixed is the mixture of readonly and read-write.
By adding the apparmor rule, we would be allowing the container to
bypass the readonly restrictions lxc has placed on it.
(If you were to actually need to write to /sys from the container, you
could add 'lxc.mount.auto = sys:rw" at the end of your container's
configuration file. The default container apparomr profile would still
try to protected against writes to many of the unsafe paths (as seen in
/etc/apparmor.d/abstractions/lxc/container-base)
Perhaps we should have a deny rule to specifically silence this denial.
** Changed in: lxc (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1424154
Title:
apparmor sysfs remount rejection on lxc-start
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1424154/+subscriptions
More information about the Ubuntu-server-bugs
mailing list