apparmor: Refresh generated file Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Update mount states handling Properly list all of the states and the right apparmor stanza for them, then comment them all as actually enabling this would currently let the user bypass apparmor entirely. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: allow mount move Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Allow bind-mounts and {r}shared/{r}private Bind-mounts aren't harmful in containers, so long as they're not used to bypass MAC policies. This change allows bind-mounting of any path which isn't a dangerous filesystem that's otherwise blocked by apparmor. This also allows switching paths {r}shared or {r}private. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Also allow fstype=fuse for fuse filesystems Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Prevent access to pci devices Prevent privileged containers from messing with the host's pci devices directly. Refuse access under /proc/bus, and drop cap_sys_rawio. Some containers may need to re-enable cap_sys_rawio (i.e. if they run an X server). It may be desirable to break some of this stuff into files which can be separately included (or not included), but this patch isn't the right place for that. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

prevent containers from reading /sys/kernel/debug Unprivileged containers cannot read it anyway, but also prevent root owned containers from doing so. Sadly upstart's mountall won't run if we try to prevent it from being mounted at all. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Properly update the generated apparmor profiles Some changes happened but the final profiles weren't generated... Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Block access to /proc/kcore Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore. Reported-by: Marc Schaefer Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: restrict signal and ptrace for processes Restrict signal and ptrace for processes running under the container profile. Rules based on AppArmor base abstraction. Add unix rules for processes running under the container profile. Signed-off-by: Jamie Strandboge <jamie@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Apparmor: allow hugetlbfs mounts everywhere Signed-off-by: Jesse Tane <jesse.tane@gmail.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: allow writes to sem* and msg* sysctls /proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls which are properly namespaced. Allow writes to them from containers. Reported-by: Dan Kegel <dank@kegel.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Update profiles for current upstream parser Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: deny writes to most of /proc/sys (v2) Allow writes to kernel.shm*, net.*, kernel/domainname and kernel/hostname, Also fix a bug in the lxc-generate-aa-rules.py script in a path which wasn't being exercised before, which returned a path element rather than its child. Changelog (v2): remove trailing / from block path Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: auto-generate the blacklist rules This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

cgmanager: container-base apparmor abstraction: allow mount move Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

apparmor: Add profiles Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>