From: Alexander Mikhalitsyn Date: Thu, 15 Feb 2024 16:59:59 +0000 (+0100) Subject: config: apparmor: add AppArmor profile for lxc-copy X-Git-Tag: v6.0.0~22^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d51ea224e89f937131342ea71b8010c1c810dcd3;p=thirdparty%2Flxc.git config: apparmor: add AppArmor profile for lxc-copy lxc-copy can start container as lxc-start does in some cases, so we need to have the same profile for it. Signed-off-by: Alexander Mikhalitsyn --- diff --git a/config/apparmor/meson.build b/config/apparmor/meson.build index 24a07ebab..d378b4c0a 100644 --- a/config/apparmor/meson.build +++ b/config/apparmor/meson.build @@ -14,4 +14,11 @@ if libapparmor.found() output: 'usr.bin.lxc-start', install: true, install_dir: join_paths(sysconfdir, 'apparmor.d')) + + configure_file( + configuration: dummy_config_data, + input: 'usr.bin.lxc-copy', + output: 'usr.bin.lxc-copy', + install: true, + install_dir: join_paths(sysconfdir, 'apparmor.d')) endif diff --git a/config/apparmor/usr.bin.lxc-copy b/config/apparmor/usr.bin.lxc-copy new file mode 100644 index 000000000..36b8d5cd9 --- /dev/null +++ b/config/apparmor/usr.bin.lxc-copy @@ -0,0 +1,5 @@ +#include + +/usr/bin/lxc-copy flags=(attach_disconnected) { + #include +} diff --git a/config/init/systemd/lxc-apparmor-load b/config/init/systemd/lxc-apparmor-load index abca581e8..a612b7ab8 100755 --- a/config/init/systemd/lxc-apparmor-load +++ b/config/init/systemd/lxc-apparmor-load @@ -7,9 +7,11 @@ set -eu SYSF=/sys/kernel/security/apparmor/features/mount/mask if [ -f $SYSF ]; then if [ -x /lib/apparmor/profile-load ]; then + /lib/apparmor/profile-load usr.bin.lxc-copy /lib/apparmor/profile-load usr.bin.lxc-start /lib/apparmor/profile-load lxc-containers elif [ -x /lib/init/apparmor-profile-load ]; then + /lib/init/apparmor-profile-load usr.bin.lxc-copy /lib/init/apparmor-profile-load usr.bin.lxc-start /lib/init/apparmor-profile-load lxc-containers fi