Changes in lxc-test-apparmor-mount http://src.iws.cs.ovgu.de/source/rss/lxc/src/tests/lxc-test-apparmor-mount en Copyright 2005 Java tests: Kill containers (don't wait for shutdown) We waste a lot of time waiting for Ubuntu containers to cleanly stop right before we destroy them anyway. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - 8bb165038d60d59084c1fafee171948244f0f86a Stéphane Graber <stgraber@ubuntu.com> Update Ubuntu release name: add zesty and remove wily Add zesty to KNOWN_RELEASES Remove EOL wily from KNOWN_RELEASES Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> /lxc/src/tests/lxc-test-apparmor-mount - 3a5495cf2f6c1806f5a91d699448b15b510f146e Po-Hsu Lin <po-hsu.lin@canonical.com> tests: fix image download for s390x Make release selection more flexible. Update the KNOWN_RELEAES list, add yakkety and remove vivid. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> /lxc/src/tests/lxc-test-apparmor-mount - 01c05c821093dc854def146d4bab62885d8eb664 Po-Hsu Lin <po-hsu.lin@canonical.com> tests: set clone_children if need be Lxc only sets it on /lxc, not on /. It's conceivable that we should really re-set this to the original value, to prevent making later tests not fail when they should. I didn't do that. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - 177f793ae07431b2db86b5fa1b63cd59f9a66319 Serge Hallyn <serge.hallyn@ubuntu.com> update tests to recognize cgns profile Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - f58236fd702f8979a68a74e17c7a81f37899edf7 Serge Hallyn <serge.hallyn@ubuntu.com> lxc-test-apparmor-mount: don't clear out /etc/lxc/lxc-usernet Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - efdca59e498ce7a7ff0db091d7d2fec01a91b8ea Serge Hallyn <serge.hallyn@ubuntu.com> Fix the unprivileged tests cgroup management To cover all the cases we have around, we need to: - Attempt to use cgm if present (preferred) - Attempt to use cgmanager directly over dbus otherwise - Fallback to cgroupfs Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - 42e5c9878f0d20b3e9682ef441afed2f0228b298 Stéphane Graber <stgraber@ubuntu.com> apparmor: improve behavior when kernel lacks mount restrictions (v2) (Dwight, I took the liberty of adding your Ack but the code did change a bit to continue passing the char *label from attach. Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1" does attach you to the p2 profile) Apparmor policies require mount restrictions to fullfill many of their promises - for instance if proc can be mounted anywhere, then 'deny /proc/sysrq-trigger w' prevents only accidents, not malice. The mount restrictions are not available in the upstream kernel. We can detect their presence through /sys. In the past, when we detected it missing, we would not enable apparmor. But that prevents apparmor from helping to prevent accidents. At the same time, if the user accidentaly boots a kernel which has regressed, we do not want them starting the container thinking they are more protected than they are. This patch: 1. adds a lxc.aa_allow_incomplete = 1 container config flag. If not set, then any container which is not set to run unconfined will refuse to run. If set, then the container will run with apparmor protection. 2. to pass this flag to the apparmor driver, we pass the container configuration (lxc_conf) to the lsm_label_set hook. 3. add a testcase. To test the case were a kernel does not provide mount restrictions, we mount an empty directory over the /sys/kernel/security/apparmor/features/mount directory. In order to have that not be unmounted in a new namespace, we must test using unprivileged containers (who cannot remove bind mounts which hide existing mount contents). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> /lxc/src/tests/lxc-test-apparmor-mount - 7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef Serge Hallyn <serge.hallyn@ubuntu.com>