jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
runc/apparmor
History
Eric Windisch 364d8e1505 Disable all mounts in AppArmor profile 
Allowing mounts in containers is dangerous. Bugs in
mount namespaces or quirks of the container configuration
could allow for various breakouts.

By default, processes in containers will not be able to mount anyway,
rendering the allowances in the default AppArmor profile nearly
useless. Manually created sub-containers were able to mount, but
were yet restricted from performing most of the mounts flags indicated
in the profile.

Signed-off-by: Eric Windisch <eric@windisch.us>
 		2015-05-07 14:38:44 -07:00
..
apparmor.go also check if "/sbin/apparmor_parser" exists when deciding if apparmor is enabled 2015-04-14 19:18:33 +02:00
apparmor_disabled.go Update a few build tags to be more generic, add a couple more SETNS constants, and update Travis with a bunch of fixes/tweaks (including removing the nonfunctional cross-compile stuff for now) 2014-07-17 02:24:49 -06:00
gen.go Disable all mounts in AppArmor profile 2015-05-07 14:38:44 -07:00
setup.go Move libcontainer deps into libcontainer 2014-06-09 15:52:12 -07:00