[libvirt] [sandbox] Weird apparmor problems
Cedric Bosdonnat
cbosdonnat at suse.com
Fri Oct 30 13:27:18 UTC 2015
On Fri, 2015-10-30 at 09:15 +0900, Daniel P. Berrange wrote:
> So, yes, it is normal for libvirt_lxc to access /dev/ptmx to create
> a new master PTY and to read/write to /dev/pts/NN associated with
> the file descriptor retrieved from /dev/ptmx.
After some more debugging and help from jjohansen, the problem happens
to be this commit:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f
When having the not-so-silly idea to mount the host / readonly in a qemu
guest (like what virt-sandbox is doing), we are adding a "deny /** w"
rule taking precedence over all rules giving write access to files
inside that path.
Would there be a clean solution for that problem? I can already teach
virt-sandbox to add the host / mount only if there is nothing else to be
mounted as /, but that wouldn't cover all cases.
--
Cedric
More information about the libvir-list
mailing list