# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
# Extra cgroup device access
## rtc
# Use a profile which allows nesting
-lxc.aa_profile = lxc-container-default-with-nesting
+lxc.apparmor.profile = lxc-container-default-with-nesting
# Add uncovered mounts of proc and sys, else unprivileged users
# cannot remount those
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time.
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
-#lxc.aa_profile = lxc-container-default-with-mounting
+#lxc.apparmor.profile = lxc-container-default-with-mounting
# Extra cgroup device access
## rtc
<variablelist>
<varlistentry>
<term>
- <option>lxc.aa_profile</option>
+ <option>lxc.apparmor.profile</option>
</term>
<listitem>
<para>
コンテナが従うべき apparmor プロファイルを指定します。
コンテナが apparmor による制限を受けないように設定するには、以下のように設定します。
</para>
- <programlisting>lxc.aa_profile = unconfined</programlisting>
+ <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para>
<!--
If the apparmor profile should remain unchanged (i.e. if you
-->
もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。
</para>
- <programlisting>lxc.aa_profile = unchanged</programlisting>
+ <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<variablelist>
<varlistentry>
<term>
- <option>lxc.aa_profile</option>
+ <option>lxc.apparmor.profile</option>
</term>
<listitem>
<para>
컨테이너가 따라야할 apparmor 프로파일을 지정한다.
컨테이너가 apparmor로 인한 제한을 받지 않도록 하려면, 아래와 같이 지정하면 된다.
</para>
- <programlisting>lxc.aa_profile = unconfined</programlisting>
+ <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para>
<!--
If the apparmor profile should remain unchanged (i.e. if you
-->
apparmor 프로파일이 변경되지 않아야 한다면(중첩 컨테이너 안에 있고, 이미 confined된 경우), 아래와 같이 지정하면 된다.
</para>
- <programlisting>lxc.aa_profile = unchanged</programlisting>
+ <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<variablelist>
<varlistentry>
<term>
- <option>lxc.aa_profile</option>
+ <option>lxc.apparmor.profile</option>
</term>
<listitem>
<para>
be run. To specify that the container should be unconfined,
use
</para>
- <programlisting>lxc.aa_profile = unconfined</programlisting>
+ <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para>
If the apparmor profile should remain unchanged (i.e. if you
are nesting containers and are already confined), then use
</para>
- <programlisting>lxc.aa_profile = unchanged</programlisting>
+ <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem>
</varlistentry>
<varlistentry>
lsm_label = "unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023";
}
else if (!strcmp(lsm_name(), "AppArmor")) {
- lsm_config_key = "lxc.aa_profile";
+ lsm_config_key = "lxc.apparmor.profile";
if (file_exists("/proc/self/ns/cgroup"))
lsm_label = "lxc-container-default-cgns";
else
run_cmd lxc-stop -n $cname -k
echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
mount --bind $dnam $MOUNTSR
echo "test default confined container"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true
sleep 3
pid=`run_cmd lxc-info -p -H -n $cname` || true
fi
echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
run_cmd lxc-stop -n $cname -k
echo "testing override"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
#networking
#lxc.net.0.type = $lxc_network_type
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
lxc.uts.name = $utsname
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.cgroup.devices.deny = a
lxc.uts.name = $utsname
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type
lxc.uts.name = ${utsname}
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable
#lxc.net.0.type = ${lxc_network_type}
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
#networking
lxc.net.0.type = $lxc_network_type
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined:
-lxc.aa_profile = unconfined
+lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type
lxc.autodev = $auto_dev
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
## Devices
# Allow all devices
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
-#lxc.aa_profile = unconfined
+#lxc.apparmor.profile = unconfined
lxc.mount.entry = /dev dev none ro,bind 0 0
lxc.mount.entry = /lib lib none ro,bind 0 0
projects / thirdparty / lxc.git / commitdiff
