apparmor: allow writes to sem* and msg* sysctls /proc/sys/kernel/sem* and /proc/sys/kernel/msg* are ipc sysctls which are properly namespaced. Allow writes to them from containers. Reported-by: Dan Kegel <dank@kegel.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: deny writes to most of /proc/sys (v2) Allow writes to kernel.shm*, net.*, kernel/domainname and kernel/hostname, Also fix a bug in the lxc-generate-aa-rules.py script in a path which wasn't being exercised before, which returned a path element rather than its child. Changelog (v2): remove trailing / from block path Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: auto-generate the blacklist rules This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>