Enable stacking for privileged containers #3155

stgraber · Apr 5, 2017

Signed-off-by: Stéphane Graber stgraber@ubuntu.com

tyhicks · Apr 5, 2017

This looks correct to me. I'll update this PR once I've discussed the safety of doing policy loads inside of a privileged container inside of an AppArmor policy namespace with John. Thanks!

brauner · Apr 5, 2017

I'll hold off on merging this until you ping me, @stgraber.

stgraber · Apr 5, 2017

Based on IRC discussion, this is fine to merge as far as the apparmor team is concerned.

tyhicks · Apr 5, 2017

After speaking with John Johansen about this, we think it is safe to stick a confined privileged container inside of an apparmor namespace, allow the container to inherit CAP_MAC_ADMIN, and grant the container access to the securityfs mounted inside of the container.

Thanks for putting this PR together. I look forward to using this feature.

brauner · Apr 5, 2017

Cool guys. This sounds super-exciting!

lxc/lxd

Enable stacking for privileged containers #3155

stgraber commented Apr 5, 2017

tyhicks commented Apr 5, 2017

brauner commented Apr 5, 2017

stgraber commented Apr 5, 2017

tyhicks commented Apr 5, 2017

brauner commented Apr 5, 2017 •

Edited 1 time

brauner
Apr 5, 2017

brauner merged commit `f0f838c` into lxc:master Apr 5, 2017
5 checks passed

5 checks passed

lxc/lxd

Join GitHub today

Enable stacking for privileged containers #3155

Conversation

stgraber commented Apr 5, 2017

All checks have passed

tyhicks commented Apr 5, 2017

brauner commented Apr 5, 2017

stgraber commented Apr 5, 2017

tyhicks commented Apr 5, 2017

brauner commented Apr 5, 2017 • edited Edited 1 time brauner Apr 5, 2017

Hide details View details brauner merged commit f0f838c into lxc:master Apr 5, 2017 5 checks passed

5 checks passed

brauner commented Apr 5, 2017 •

Edited 1 time

brauner
Apr 5, 2017

brauner merged commit `f0f838c` into lxc:master Apr 5, 2017
5 checks passed