mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-04 20:31:13 +00:00
9265f8ab67
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default. This profile allows quite a lot, but strives to restrict access to dangerous resources. Removing the explicit authorizations to bash, systemd and cron files, forces them to keep the lxc profile for all applications inside the container. PUx permissions where leading to running systemd (and others tasks) unconfined. Put the generic files, network and capabilities restrictions directly in the TEMPLATE.lxc: this way, users can restrict them on a per container basis.
16 lines
314 B
Plaintext
16 lines
314 B
Plaintext
#
|
|
# This profile is for the domain whose UUID matches this file.
|
|
#
|
|
|
|
#include <tunables/global>
|
|
|
|
profile LIBVIRT_TEMPLATE {
|
|
#include <abstractions/libvirt-lxc>
|
|
|
|
# Globally allows everything to run under this profile
|
|
# These can be narrowed depending on the container's use.
|
|
file,
|
|
capability,
|
|
network,
|
|
}
|