[lxc-users] lxc-start fails at apparmor detection
Tom Weber
l_lxc-users at mail2news.4t2.com
Tue Aug 5 11:53:58 UTC 2014
Hello,
my setup:
debian7
lxc-1.0.4 from debian testing
vanilla kernel.org kernel 3.14.14
i'm new to lxc and apparmor, so this took me a couple of hours to
figure:
lxc-start won't assign an apparmor-profile to a container since it's
test for apparmor will always fail on my setup:
in src/lxc/lsm/apparmor:
the apparmor_enabled() tests for AA_MOUNT_RESTR
(/sys/kernel/security/apparmor/features/mount/mask) first, which will
never exist without that apparmor mount patch in the kernel.
commenting out that test gives me apparmor functionality (except for
that mount feature of course).
Is that intentional or just an ancient relict?
I'd prefer to have apparmor profile support without mount restrictions
over no apparmor profile support at all. apparmor gives me warnings
like:
Warning from /etc/apparmor.d/lxc-containers (/etc/apparmor.d/lxc-containers line 8): profile lxc-container-default mount rules not enforced
when starting up, which is what I expect and something I can deal with
as admin. I think lxc-start should activate the requested profile
anyway.
Oh, and a little log message wether lxc-start detected apparmor or not
and activates it would be _very_ helpfull :)
related question: dropping sys_admin cap for the container should render
all the mount protections from apparmor unnecessary, right?
Regards,
Tom
More information about the lxc-users
mailing list