touch-packages team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxx>]

Here is the debdiff. It works with the testing as outlined in
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only
(see the lxc section). This is not comprehensive so I am hoping an lxc
maintainer can run this through its paces. Also, I made no changes to
start-container cause I wasn't sure the benefit it would provide there.
Feel free to apply the types of rules made to container-base to start-
container. The debdiff updates rules a little, and tested that it dtrt
when building on trusty.

** Patch added: "lxc_1.1.0~alpha1-0ubuntu5.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1373555/+attachment/4213972/+files/lxc_1.1.0%7Ealpha1-0ubuntu5.debdiff

** Description changed:

  Right now the container policy uses bare rules for ptrace and signal. We
  should refine these rules to be container specific and add unix rules to
- do the same.
+ do the same. Obviously, namespaces are intended to block these accesses
+ in and of themselves, but this add an incremental improvement and
+ security in depth in case something goes wrong there.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1373555

Title:
  please restrict signal, ptrace and unix mediation to the container

Status in “lxc” package in Ubuntu:
  New

Bug description:
  Right now the container policy uses bare rules for ptrace and signal.
  We should refine these rules to be container specific and add unix
  rules to do the same. Obviously, namespaces are intended to block
  these accesses in and of themselves, but this add an incremental
  improvement and security in depth in case something goes wrong there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1373555/+subscriptions