search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.27k stars 910 forks source link

Instance: Allow devpts in AppArmor profile for unprivileged containers #13661

Closed mihalicyn closed 6 days ago

mihalicyn commented 6 days ago

In core24 AppArmor includes security fixes and our ruleset, although the source code remains unchanged become stricter.

devpts was always available for unprivileged containers because of AppArmor bugs like [1]. Let's now allow it explicitly.

[1] https://bugs.launchpad.net/apparmor/+bug/1597017

mihalicyn commented 6 days ago

This should fix OVN tests failures on latest/edge snap: https://github.com/canonical/lxd-ci/actions/runs/9640802118/job/26606617383

tomponline commented 6 days ago

@mihalicyn is this safe to backport to 5.21, and 5.0 series btw? Or does it need a specific version of the apparmor parser?

mihalicyn commented 6 days ago

@mihalicyn is this safe to backport to 5.21, and 5.0 series btw? Or does it need a specific version of the apparmor parser?

it's absolutely safe to backport to any series, because for older AppArmor versions it does nothing (devpts is allowed for old versions implicitly).