[lxc-users] lxc-start fails at apparmor detection

Tom Weber l_lxc-users at mail2news.4t2.com
Wed Aug 6 09:09:21 UTC 2014 

Am Dienstag, den 05.08.2014, 23:34 +0000 schrieb Serge Hallyn:
> Quoting Tom Weber (l_lxc-users at mail2news.4t2.com):
>  
> > The patch works in the regard that the container starts and the apparmor
> > profile is set. 
> > But I can't find the Warning message anywhere (tried lxc-start -n webv1
> > -d -l DEBUG) - but maybe thats a more general problem. Oh, and there is
> > a typo: Apparmor ount
> > 
> > My opinion as an admin is that this check isn't needed in lxc itself.
> > Apparmor spits a warning during aa lxc-profile loading - sane admins
> > wouldn't ignore this.
> 
> We're not just talking about "sane admins" though.  We're talking about
> everyday users using containers.  And they're not building their own
> misconfigured kernels.  It happens, certainly while using the development
> release, that you get a kernel for which the apparmor set wasn't ready
> yet and mount restrictions weren't ready.
> 
> Maybe the patch should be modified to only allow the container to
> proceed if cap_sys_admin is being dropped.

So if I _want_ an insecure container with cap_sys_admin (for whatever
reason like testing or development - and yes sometimes I might want
this!) you'd force me to install an apparmor mount supported kernel
where i'd comment out the mount rules in the apparmor profile? Just to
make that thing start?

Just because there's a feature in the kernel (and it's nothing else your
stat does) doesn't mean that the other end of the system that's
responsible for enforcing/using it does really use it.  This test
implies security where no security is.

I dont think a readable /proc/kcore inside a container or access to
dmesg is very secure either - as in the default config.
I could mount proc on /proc_insecure and create whatever /dev/ nodes I
like anywhere I want and lxc wouldn't warn me about this at all.
But you wouldn't allow me to start a container if the _kernel_ lacks
aa-mount support and i don't drop cap_sys_admin? Really?

This test belongs in lxc-checkconfig and should print out a big fat
warning - right now it's not even mentioned there.

Regards,
  Tom

More information about the lxc-users mailing list