From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
Date: Wed, 22 Jul 2020 14:15:26 +0200 [thread overview]
Message-ID: <20200722141526.44fcc27e@rosa.proxmox.com> (raw)
In-Reply-To: <b578da18-2964-5a75-3b05-5c16bfef3982@proxmox.com>
On Wed, 22 Jul 2020 14:09:09 +0200
Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> On 22.07.20 13:59, Stoiko Ivanov wrote:
> > On Wed, 22 Jul 2020 13:51:19 +0200
> > Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> >
> >> On 22.07.20 13:05, Stoiko Ivanov wrote:
> >>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> >>> fixes the apparmor deny for mounting boot_id (used for example for identifying
> >>> different boots with `journalctl`) inside the container.
> >>>
> >>> Tested by editing the profile and replacing it disregarding the cache:
> >>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
> >>>
> >>
> >> was this proposed to upstream as pull request? Did not found it on the
> >> LXC GitHub page.
> >
> > sorry my phrasing in the cover-letter was misleading: I want to make a
> > pull request upstream for this patch, after somebody else sanity-checks it
> > -> if it looks ok to you - I'll open the PR.
> >
>
> Haha, and I wanted the reverse: get upstream to review it with their
> in-depth knowledge so that I can rely on that check ;-P
aye - makes sense - https://github.com/lxc/lxc/pull/3495 :)
>
> >
> >>
> >>> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> ---
> >>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++++++++++++++++++
> >>> debian/patches/series | 1 +
> >>> 2 files changed, 27 insertions(+)
> >>> create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>> diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> new file mode 100644
> >>> index 0000000..fefc586
> >>> --- /dev/null
> >>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> @@ -0,0 +1,26 @@
> >>> +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
> >>> +From: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> +Date: Wed, 22 Jul 2020 12:17:24 +0200
> >>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> >>> +
> >>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
> >>> +necessary mount calls for /proc/sys/kernel/random/boot_id
> >>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> >>> +
> >>> +Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >>> +---
> >>> + config/apparmor/abstractions/start-container.in | 1 +
> >>> + 1 file changed, 1 insertion(+)
> >>> +
> >>> +diff --git a/config/apparmor/abstractions/start-container.in b/config/apparmor/abstractions/start-container.in
> >>> +index 9998f1121..9f64c2727 100644
> >>> +--- a/config/apparmor/abstractions/start-container.in
> >>> ++++ b/config/apparmor/abstractions/start-container.in
> >>> +@@ -22,6 +22,7 @@
> >>> + mount -> /var/lib/lxc/{**,},
> >>> +
> >>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> >>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
> >>> +
> >>> + # required for some pre-mount hooks
> >>> + mount fstype=overlayfs,
> >>> diff --git a/debian/patches/series b/debian/patches/series
> >>> index ee20ef5..f588081 100644
> >>> --- a/debian/patches/series
> >>> +++ b/debian/patches/series
> >>> @@ -1,3 +1,4 @@
> >>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> >>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> >>> pve/0003-PVE-Config-attach-always-use-getent.patch
> >>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>
> >
>
next prev parent reply other threads:[~2020-07-22 12:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-22 11:05 [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups Stoiko Ivanov
2020-07-22 11:05 ` [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id Stoiko Ivanov
2020-07-22 11:51 ` Thomas Lamprecht
2020-07-22 11:59 ` Stoiko Ivanov
2020-07-22 12:09 ` Thomas Lamprecht
2020-07-22 12:15 ` Stoiko Ivanov [this message]
2020-09-09 19:06 ` [pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200722141526.44fcc27e@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal