hard code apparmor profle ? #190
Comments
|
FWIW, it looks like liblxc proper has this functionality. It should be fairly easy to use this in stacker: tych0@434cfeb However, this assumes that you are a privileged user, since users without CAP_MAC_ADMIN can't load policy in the root apparmor namespace or create namespaces (though if a namespace exists, unprivileged users can load policy there if they have CAP_MAC_ADMIN in the userns that owns the AA ns). We could fix this by allowing unprivileged userns creation: tych0/linux@b6e0913 ...but then there are several other times that liblxc assumes you are privileged. Drafts of several fixes necessary are here: https://github.com/tych0/lxc/commits/parameterize-apparmor-cache-dir I think this is possible, but the liblxc patches will be a bit more invasive than I was originally thinking. |
right now, we depend on some external entity (packaging, aliens) to distribute an apparmor profile called lxc-container-default-cgns, and we hope that profile is reasonable. we should really have some way for stacker to generate that profile, perhaps using lxd's apparmor library:
https://github.com/lxc/lxd/tree/master/lxd/apparmor
which was written for this purpose, but has a lot of lxd-specific code.
The text was updated successfully, but these errors were encountered: