Comment 3 for bug 1088295
Revision history for this message
| Serge Hallyn (serge-hallyn) wrote Re: [Bug 1088295] Re: lxc container can control other container's cpu share, memory limit, or access of block and character devices | #3 |
Quoting Lawrance (<email address hidden>):
> thanks for your rapid reply.
> sorry, i'm newbie to appamor
>
> 1. what i should do is to create a appamor policy for /usr/lib/
libvirt_lxc sets up the container which requires much more privilege than
the container itself should have. In the lxc package, the program which
starts the container (equivalent of /usr/lib/
a temporary domain automatically when it starts, then right before it
executes /sbin/init in the container the code is changed to manually
enter the container's domain.
> 2. how can i do per-container apparmor policies
> 3. could i refer below appamor policy for lxc
> root@superstack:~# cat /etc/apparmor.
The policy itself should be a good start for the restrictions you'll
want on containers. However, libvirt already has a sophisticated
security module infrastructure which should probably be extended for
libvirt-lxc.
For a temporary custom solution, it may be possible to create a
domain based upon /etc/apparmor.
to automatically switch to /etc/apparmor.
executing /sbin/init.