[pve-devel] [RFC container 2/3] add feature flags using apparmor profile generation

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Sep 19 15:15:06 CEST 2018


> > +    my $features = PVE::LXC::Config->parse_features($conf->{features});
> > +
> > +    $raw .= make_seccomp_config($conf, $unprivileged || $custom_idmap,
> > +				$features);
> > +
> > +    $raw .= make_apparmor_config($conf, $unprivileged || $custom_idmap,
> > +				 $features);
> 
> what is the combination of '$unprivileged || $custom_idmap'`?
> In the methods called this parameter is called just '$unprivileged',
> so it's a bit confusing that it gets that also on true if an
> user/group ID mapping is used.
> 
> maybe pull that out (with your addition this || construct is used in three places)
> call it something alike $usernamespaced or $use_userns?

Right, will do. In most of these cases we don't need the precise
mapping, so they're equivalent. $unprivileged is just our config key
while $custom_idmap is when someone adds `lxc.idmap` entries manually.



More information about the pve-devel mailing list