New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

drop useless apparmor denies #1840

Merged
merged 1 commit into from Oct 3, 2017

Conversation

5 participants
@tych0
Member

tych0 commented Oct 3, 2017

mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen tycho@tycho.ws

@stgraber

This comment has been minimized.

Show comment
Hide comment
@stgraber

stgraber Oct 3, 2017

Member

Looks good but some more files need updating, can you run:

  • ./lxc-generate-aa-rules.py container-rules.base > container-rules
  • cat abstractions/container-base.in container-rules > abstractions/container-base

That should take care of the rest.

Member

stgraber commented Oct 3, 2017

Looks good but some more files need updating, can you run:

  • ./lxc-generate-aa-rules.py container-rules.base > container-rules
  • cat abstractions/container-base.in container-rules > abstractions/container-base

That should take care of the rest.

@GamerSource

This comment has been minimized.

Show comment
Hide comment
@GamerSource

GamerSource Oct 3, 2017

Contributor

Yout talk about removing denies for /proc/kmem and /proc/mem but in config/apparmor/abstractions/container-base.in kcore and kmem gets removed from the deny list, mem even stayed, but kcore is in proc!

Is this really correct?

Contributor

GamerSource commented Oct 3, 2017

Yout talk about removing denies for /proc/kmem and /proc/mem but in config/apparmor/abstractions/container-base.in kcore and kmem gets removed from the deny list, mem even stayed, but kcore is in proc!

Is this really correct?

@stgraber

This comment has been minimized.

Show comment
Hide comment
@stgraber

stgraber Oct 3, 2017

Member

Oh, that's a good point, the container-base.in diff doesn't match the commit description :)

Member

stgraber commented Oct 3, 2017

Oh, that's a good point, the container-base.in diff doesn't match the commit description :)

drop useless apparmor denies
mem and kmem are really in /dev, so this does us no good.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
@tych0

This comment has been minimized.

Show comment
Hide comment
@tych0

tych0 Oct 3, 2017

Member

Yep, I just updated. Thanks!

Member

tych0 commented Oct 3, 2017

Yep, I just updated. Thanks!

@brauner brauner merged commit b90eff8 into lxc:master Oct 3, 2017

3 of 4 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Branch target Branch target is correct
Details
Signed-off-by All commits signed-off
Details
Testsuite Testsuite passed
Details
@hallyn

This comment has been minimized.

Show comment
Hide comment
@hallyn

hallyn Oct 3, 2017

Member

Sorry... what's the downside to having these in?

I agree they're probably useless, but there may be sites out there that have custom templates causing containers to be created with those files. I'm not nacking, but not quite sold on the tradeoff.

Member

hallyn commented Oct 3, 2017

Sorry... what's the downside to having these in?

I agree they're probably useless, but there may be sites out there that have custom templates causing containers to be created with those files. I'm not nacking, but not quite sold on the tradeoff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment