AppArmor: add make-rslave to usr.bin.lxc-start The profile already contains mount options=(rw, make-slave) -> **, Which allows going through all mountpoints with make-slave, so it seems to make sense to also allow the directly recursive variant with "make-rslave". Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: support lxc.ttydir when bind-mounting ptys Because we now create the ttys from inside the container, we had to add an apparmor rule for start-container to bind-mount /dev/pts/** -> /dev/tty*/. However that's not sufficient if the container sets lxc.ttydir, in which case we need to support mounting onto files in subdirs of /dev. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

create lxc.tty ptys from container process Lxc has always created the ptys for use by console and ttys early on from the monitor process. This has some advantages, but also has disadvantages, namely (1) container ptys counting against the max ptys for the host, and (2) not having a /dev/pts/N in the container to pass to getty. (2) was not a problem for us historically because we bind-mounted the host's /dev/pts/N onto a /dev/ttyN in the container. However, systemd hardocdes a check for container_ttys that the path have 'pts/' in it. If it were only for (2) I'd have opted for a systemd patch to check the device major number, but (1) made it worth moving the openpty to the container namespace. So this patch moves the tty creation into the task which becomes the container init. It then passes the fds for the opened ptys back to the monitor over a unix socketpair (for use by lxc-console). The /dev/console is still created in the monitor process, so that it can for instance be used by lxc.logfd. So now if you have a foreground container with lxc.tty = 4, you should end up with one host /dev/pts entry per container rather than 5. And lxc-console now works with systemd containers. Note that if the container init mounts its own devpts over the one mounted by lxc, the tty /dev/pts/n will be hidden. This is ok since it's only systemd that needs it, and systemd won't do that. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: Fix slave bind mounts The permission to make a mount "slave" is spelt "make-slave", not "slave", see https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not just the root dir. https://launchpad.net/bugs/1350947

apparmor: Allow slave bind mounts Without this, if the system uses shared subtrees by default (like systemd), you get a large stream of lxc-start: Permission denied - Failed to make /<mountpoint> rslave lxc-start: Continuing... with apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=17284 comm="lxc-start" flags="rw, slave" and eventual failure plus a lot of leftover mounts in the host. https://launchpad.net/bugs/1325468

apparmor: Use more generic allow rule for pivot Recent fixes in the apparmor kernel code is now making at least the CI environment and quite possibly some others fail due to an invalid path in the pivot_root stanza. So update both lines to allow a more generic pivot_root call for anything in LXC's work directory. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: Update profiles for current upstream parser Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: Add profiles Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>