Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Enable stacking for privileged containers #3155
Conversation
tyhicks
commented
Apr 5, 2017
|
This looks correct to me. I'll update this PR once I've discussed the safety of doing policy loads inside of a privileged container inside of an AppArmor policy namespace with John. Thanks! |
|
I'll hold off on merging this until you ping me, @stgraber. |
|
Based on IRC discussion, this is fine to merge as far as the apparmor team is concerned. |
tyhicks
commented
Apr 5, 2017
|
After speaking with John Johansen about this, we think it is safe to stick a confined privileged container inside of an apparmor namespace, allow the container to inherit CAP_MAC_ADMIN, and grant the container access to the securityfs mounted inside of the container. Thanks for putting this PR together. I look forward to using this feature. |
|
Cool guys. This sounds super-exciting! |
stgraber commentedApr 5, 2017
Signed-off-by: Stéphane Graber stgraber@ubuntu.com