Quoting Lawrance (<email address hidden>):
> thanks for your rapid reply.
> sorry, i'm newbie to appamor
>
> 1. what i should do is to create a appamor policy for /usr/lib/libvirt/libvirt_lxc or anything else?
libvirt_lxc sets up the container which requires much more privilege than
the container itself should have. In the lxc package, the program which
starts the container (equivalent of /usr/lib/libvirt/libvirt_lxc) enters
a temporary domain automatically when it starts, then right before it
executes /sbin/init in the container the code is changed to manually
enter the container's domain.
> 2. how can i do per-container apparmor policies
> 3. could i refer below appamor policy for lxc
> root@superstack:~# cat /etc/apparmor.d/lxc/lxc-default
The policy itself should be a good start for the restrictions you'll
want on containers. However, libvirt already has a sophisticated
security module infrastructure which should probably be extended for
libvirt-lxc.
For a temporary custom solution, it may be possible to create a
domain based upon /etc/apparmor.d/usr.bin.lxc-start, which modified
to automatically switch to /etc/apparmor.d/lxc/lxc-default on
executing /sbin/init.
Quoting Lawrance (<email address hidden>): libvirt/ libvirt_ lxc or anything else?
> thanks for your rapid reply.
> sorry, i'm newbie to appamor
>
> 1. what i should do is to create a appamor policy for /usr/lib/
libvirt_lxc sets up the container which requires much more privilege than libvirt/ libvirt_ lxc) enters
the container itself should have. In the lxc package, the program which
starts the container (equivalent of /usr/lib/
a temporary domain automatically when it starts, then right before it
executes /sbin/init in the container the code is changed to manually
enter the container's domain.
> 2. how can i do per-container apparmor policies d/lxc/lxc- default
> 3. could i refer below appamor policy for lxc
> root@superstack:~# cat /etc/apparmor.
The policy itself should be a good start for the restrictions you'll
want on containers. However, libvirt already has a sophisticated
security module infrastructure which should probably be extended for
libvirt-lxc.
For a temporary custom solution, it may be possible to create a d/usr.bin. lxc-start, which modified d/lxc/lxc- default on
domain based upon /etc/apparmor.
to automatically switch to /etc/apparmor.
executing /sbin/init.