Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Instance: Allow devpts in AppArmor profile for unprivileged containers #13661

Merged
merged 1 commit into from
Jun 25, 2024
Merged

Instance: Allow devpts in AppArmor profile for unprivileged containers #13661

merged 1 commit into from
Jun 25, 2024

Conversation

mihalicyn
Copy link
Member

In core24 AppArmor includes security fixes and our ruleset, although the source code remains unchanged become stricter.

devpts was always available for unprivileged containers because of AppArmor bugs like [1]. Let's now allow it explicitly.

[1] https://bugs.launchpad.net/apparmor/+bug/1597017

@mihalicyn
lxd/apparmor/instance_lxc: allow devpts for unprivileged containers
8619239 
In core24 AppArmor includes security fixes and our ruleset, although
the source code remains unchanged become stricter.

devpts was always available for unprivileged containers because
of AppArmor bugs like [1]. Let's now allow it explicitly.

[1] https://bugs.launchpad.net/apparmor/+bug/1597017

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
@mihalicyn
Copy link
Member Author

This should fix OVN tests failures on latest/edge snap:
https://github.com/canonical/lxd-ci/actions/runs/9640802118/job/26606617383

@tomponline tomponline changed the title lxd/apparmor/instance_lxc: allow devpts for unprivileged containers Instance: Allow devpts in AppArmor profile for unprivileged containers Jun 25, 2024
tomponline
tomponline approved these changes Jun 25, 2024
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tomponline
Copy link
Member

@mihalicyn is this safe to backport to 5.21, and 5.0 series btw? Or does it need a specific version of the apparmor parser?

@tomponline tomponline merged commit 9728e82 into canonical:main Jun 25, 2024
28 checks passed
@mihalicyn
Copy link
Member Author

@mihalicyn is this safe to backport to 5.21, and 5.0 series btw? Or does it need a specific version of the apparmor parser?

it's absolutely safe to backport to any series, because for older AppArmor versions it does nothing (devpts is allowed for old versions implicitly).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

@simondeziel simondeziel Awaiting requested review from simondeziel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mihalicyn @tomponline