xenbits.xensource.com Git - people/liuw/libxenctrl-split/libvirt.git/commit

author	Cédric Bosdonnat <cbosdonnat@suse.com>
	Tue, 15 Jul 2014 09:02:50 +0000 (11:02 +0200)
committer	Eric Blake <eblake@redhat.com>
	Tue, 15 Jul 2014 18:57:05 +0000 (12:57 -0600)
commit	9265f8ab67dc14fe89a26efd5c22b156d3168fd6
tree	92a5e22221e7e548727017f4930d9cfddb44fffd	tree
parent	61bbdbb94ce3e2f5e969c9bddb443427db07bf61	commit \| diff

Rework lxc apparmor profile

Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.

Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.

Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.

examples/apparmor/Makefile.am		diff \| blob \| blame \| history
examples/apparmor/TEMPLATE	[deleted file]	blob \| blame \| history
examples/apparmor/TEMPLATE.lxc	[new file with mode: 0644]	blob
examples/apparmor/TEMPLATE.qemu	[new file with mode: 0644]	blob
examples/apparmor/libvirt-lxc		diff \| blob \| blame \| history
src/security/security_apparmor.c		diff \| blob \| blame \| history
src/security/virt-aa-helper.c		diff \| blob \| blame \| history