felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: remove not modified lxc rules.

Browse source 
Fix #79
This commit is contained in:
Alexandre Pujol 2022-09-28 11:54:29 +01:00
parent 4bc84436d7
commit 768e50c6ab
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 0 additions and 340 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/profiles-g-l/lxc-containers
View file

@ -1,7 +0,0 @@
# This file exists only to ensure that all per-container policies
# listed under /etc/apparmor.d/lxc get loaded at boot. Please do
# not edit this file.
include <tunables/global>
include <lxc>

11
apparmor.d/profiles-g-l/lxc/lxc-default
View file

@ -1,11 +0,0 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
}

13
apparmor.d/profiles-g-l/lxc/lxc-default-cgns
View file

@ -1,13 +0,0 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}

14
apparmor.d/profiles-g-l/lxc/lxc-default-with-mounting
View file

@ -1,14 +0,0 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
}

15
apparmor.d/profiles-g-l/lxc/lxc-default-with-nesting
View file

@ -1,15 +0,0 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
include <abstractions/lxc/container-base>
include <abstractions/lxc/start-container>
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}