git.ipfire.org Git - thirdparty/lxc.git/commit

author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Sat, 29 Mar 2014 02:05:31 +0000 (21:05 -0500)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Tue, 1 Apr 2014 17:49:43 +0000 (13:49 -0400)
commit	198b363fff1de9afcee2f26b9aa847316f589afe
tree	6936f63868195e54eeaf1c6fed2a03cb1c930637	tree
parent	dc8114afd77801851c020fb49b81bb1bc7de0923	commit \| diff

apparmor: auto-generate the blacklist rules

This uses the generate-apparmor-rules.py script I sent out some time
ago to auto-generate apparmor rules based on a higher level set of
block/allow rules.

Add apparmor policy testcase to make sure that some of the paths we
expect to be denied (and allowed) write access to are in fact in
effect in the final policy.

With this policy, libvirt in a container is able to start its
default network, which previously it could not.

v2: address feedback from stgraber
  put lxc-generate-aa-rules.py into EXTRA_DIST
  add lxc-test-apparmor, container-base and container-rules to .gitignore
  take lxc-test-apparmor out of EXTRA_DIST
  make lxc-generate-aa-rules.py pep8-compliant
  don't automatically generate apparmor rules
  This is only bc we can't be guaranteed that python3 will be
  available.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

.gitignore		diff \| blob \| blame \| history
config/apparmor/Makefile.am		diff \| blob \| blame \| history
config/apparmor/README	[new file with mode: 0644]	blob
config/apparmor/abstractions/container-base		diff \| blob \| blame \| history
config/apparmor/abstractions/container-base.in	[new file with mode: 0644]	blob
config/apparmor/container-rules	[new file with mode: 0644]	blob
config/apparmor/container-rules.base	[new file with mode: 0644]	blob
config/apparmor/lxc-generate-aa-rules.py	[new file with mode: 0755]	blob
src/tests/Makefile.am		diff \| blob \| blame \| history
src/tests/aa.c	[new file with mode: 0644]	blob