tests: Kill containers (don't wait for shutdown) We waste a lot of time waiting for Ubuntu containers to cleanly stop right before we destroy them anyway. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Update Ubuntu release name: add zesty and remove wily Add zesty to KNOWN_RELEASES Remove EOL wily from KNOWN_RELEASES Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

tests: fix image download for s390x Make release selection more flexible. Update the KNOWN_RELEAES list, add yakkety and remove vivid. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

tests: set clone_children if need be Lxc only sets it on /lxc, not on /. It's conceivable that we should really re-set this to the original value, to prevent making later tests not fail when they should. I didn't do that. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

update tests to recognize cgns profile Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-test-apparmor-mount: don't clear out /etc/lxc/lxc-usernet Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Fix the unprivileged tests cgroup management To cover all the cases we have around, we need to: - Attempt to use cgm if present (preferred) - Attempt to use cgmanager directly over dbus otherwise - Fallback to cgroupfs Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

apparmor: improve behavior when kernel lacks mount restrictions (v2) (Dwight, I took the liberty of adding your Ack but the code did change a bit to continue passing the char *label from attach. Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1" does attach you to the p2 profile) Apparmor policies require mount restrictions to fullfill many of their promises - for instance if proc can be mounted anywhere, then 'deny /proc/sysrq-trigger w' prevents only accidents, not malice. The mount restrictions are not available in the upstream kernel. We can detect their presence through /sys. In the past, when we detected it missing, we would not enable apparmor. But that prevents apparmor from helping to prevent accidents. At the same time, if the user accidentaly boots a kernel which has regressed, we do not want them starting the container thinking they are more protected than they are. This patch: 1. adds a lxc.aa_allow_incomplete = 1 container config flag. If not set, then any container which is not set to run unconfined will refuse to run. If set, then the container will run with apparmor protection. 2. to pass this flag to the apparmor driver, we pass the container configuration (lxc_conf) to the lsm_label_set hook. 3. add a testcase. To test the case were a kernel does not provide mount restrictions, we mount an empty directory over the /sys/kernel/security/apparmor/features/mount directory. In order to have that not be unmounted in a new namespace, we must test using unprivileged containers (who cannot remove bind mounts which hide existing mount contents). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>