Merge pull request #1078 from stgraber/apparmor

incusd/apparmor: Allow mounting zfs when delegation is supported
lxc · Aug 6, 2024 · 4025ab0 · 4025ab0
2 parents 2927e08 + 4f36af5
commit 4025ab0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/internal/server/apparmor/instance.go b/internal/server/apparmor/instance.go
@@ -10,6 +10,7 @@ import (
 	"github.com/lxc/incus/v6/internal/server/instance/drivers/edk2"
 	"github.com/lxc/incus/v6/internal/server/instance/instancetype"
 	"github.com/lxc/incus/v6/internal/server/project"
+	storageDrivers "github.com/lxc/incus/v6/internal/server/storage/drivers"
 	"github.com/lxc/incus/v6/internal/server/sys"
 	localUtil "github.com/lxc/incus/v6/internal/server/util"
 	internalUtil "github.com/lxc/incus/v6/internal/util"
@@ -28,6 +29,7 @@ type instance interface {
 	RunPath() string
 	Path() string
 	DevicesPath() string
+	IsPrivileged() bool
 }
 
 // InstanceProfileName returns the instance's AppArmor profile name.
@@ -188,6 +190,7 @@ func instanceProfile(sysOS *sys.OS, inst instance, extraBinaries []string) (stri
 			"nesting":             util.IsTrue(inst.ExpandedConfig()["security.nesting"]),
 			"raw":                 rawContent,
 			"unprivileged":        util.IsFalseOrEmpty(inst.ExpandedConfig()["security.privileged"]) || sysOS.RunningInUserNS,
+			"zfs_delegation":      !inst.IsPrivileged() && storageDrivers.ZFSSupportsDelegation() && util.PathExists("/dev/zfs"),
 		})
 		if err != nil {
 			return "", err

diff --git a/internal/server/apparmor/instance_lxc.go b/internal/server/apparmor/instance_lxc.go
@@ -37,6 +37,12 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   deny /proc/sys/fs/binfmt_misc/{,**} rwklx,
 {{- end }}
 
+{{- if .zfs_delegation }}
+
+  # Handle binfmt
+  mount fstype=zfs,
+{{- end }}
+
   # Handle cgroupfs
   mount options=(ro,nosuid,nodev,noexec,remount,strictatime) -> /sys/fs/cgroup/,