[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

Pierre-Elliott Bécue peb at debian.org
Sun Jan 27 15:52:40 GMT 2019


Le jeudi 17 janvier 2019 à 11:41:49+0100, Wolfgang Bumiller a écrit :
> 
> > On January 13, 2019 at 11:40 AM intrigeri <intrigeri at debian.org> wrote:
> > 
> > 
> > Hi Christian,
> > 
> > Christian Brauner:
> > > Did you backport the new config keys as well?
> > > If so we can't carry that version upstream.
> > > Since this would be a feature release.
> > > If you only backported the internal profile changes than we can
> > > carry it upstream and you should send your patch.
> > 
> > I've backported e6ec0a9, e7311a84 and 1800f92. This indeed includes
> > the copy of lxd's apparmor profile generation and thus the new config
> > keys. I *think* I've initially tried backporting only the policy
> > changes but that was not sufficient. But I might have skipped this
> > step, I can't recall.
> 
> The thing is, systemd may get more possible mount flag combinations
> in the future anyway, so the policy changes won't be enough for long.
> (There already seem to be some services which want 'strictatime' which
> effectively means re-doubling those rules with 'strictatime'.
> Considering there are a bunch more flags which theoretically could be used
> and which would theoretically be acceptable from the (think: noatime,
> nodiratime, relatime, sync/async, perhaps even mand, unbindable, verbose)
> adding all possible combinations seems rather silly and I'd much rather
> have apparmor provide a way to have optional flags.
> There's currently no way to express a mount rule with "at least
> `ro,remount,bind` *together* with any combination of
> `nosuid,nodev,noexec,strictatime,sync,...` on a single line...

Hi,

We have to decide what solution I will implement. I'm open to
suggestions, although I'm considering the "disable apparmor profiles for
lxc" solution for now.

Best regards

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190127/ca3cfe41/attachment.sig>


More information about the Pkg-lxc-devel mailing list