Ubuntu
lxc package

Merge lp://staging/~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt into lp://staging/~ubuntu-branches/ubuntu/trusty/lxc/trusty

  1. Trusty (14.04)
  2. lxc.aa-libvirt
  3. Merge into trusty
Proposed by Serge Hallyn
Status: Needs review
Proposed branch: lp://staging/~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt
Merge into: lp://staging/~ubuntu-branches/ubuntu/trusty/lxc/trusty
Diff against target: 36 lines (+17/-1)
2 files modified
debian/apparmor/abstractions-lxc-container-base (+7/-1)
debian/changelog (+10/-0)
To merge this branch: bzr merge lp://staging/~serge-hallyn/ubuntu/trusty/lxc/lxc.aa-libvirt
Reviewer Review Type Date Requested Status
Stéphane Graber Pending
Review via email: mp+193622@code.staging.launchpad.net

Description of the change

Allow write access under /sys/class/net and /sys/device/virtual/net. Otherwise libvirt is unable to create virbr0.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

FWIW, looks good to me. AppArmor needs a better way to express this.

Thanks

Reply
Revision history for this message
Stéphane Graber (stgraber) wrote :

Looks good to me, it's just annoying that we need to use those regexps and that any addition of a new /sys entry may go uncontained because of this but oh well, not much choice just now...

Reply
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Quoting Stéphane Graber (<email address hidden>):
> Looks good to me, it's just annoying that we need to use those regexps and that any addition of a new /sys entry may go uncontained because of this but oh well, not much choice just now...

Thanks for looking it over.

I wonder whether it would be worthwhile to build our own parser which
takes simpler list of paths we want to allow, and builds deny regexes
to put into policy? Because f we need to allow one or two more paths,
it'll become unreadable as is.

Reply

Unmerged revisions

308. By Serge Hallyn

debian/apparmor/abstractions-lxc-container-base: allow writes to
/sys/class/net/*and /sys/devices/virtual/net/**. This is to allow
libvirt to set ip_forward on virbr0 which it creates. Note this is
safe because the container has it's own private view of those
directories.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches

to all changes: