[lxc-users] lxc-start fails at apparmor detection

Dwight Engen dwight.engen at oracle.com
Thu Aug 7 21:23:28 UTC 2014


On Tue, 05 Aug 2014 13:53:58 +0200
Tom Weber <l_lxc-users at mail2news.4t2.com> wrote:

> Hello,
> 
> my setup: 
> debian7 
> lxc-1.0.4 from debian testing
> vanilla kernel.org kernel 3.14.14
> 
> i'm new to lxc and apparmor, so this took me a couple of hours to
> figure:
> lxc-start won't assign an apparmor-profile to a container since it's
> test for apparmor will always fail on my setup:
> in src/lxc/lsm/apparmor:
> the apparmor_enabled() tests for AA_MOUNT_RESTR
> (/sys/kernel/security/apparmor/features/mount/mask) first, which will
> never exist without that apparmor mount patch in the kernel. 
> 
> commenting out that test gives me apparmor functionality (except for
> that mount feature of course).
> 
> Is that intentional or just an ancient relict? 
> I'd prefer to have apparmor profile support without mount restrictions
> over no apparmor profile support at all. apparmor gives me warnings
> like: 
> 
> Warning from /etc/apparmor.d/lxc-containers
> (/etc/apparmor.d/lxc-containers line 8): profile
> lxc-container-default mount rules not enforced
> 
> when starting up, which is what I expect and something I can deal with
> as admin. I think lxc-start should activate the requested profile
> anyway.
> 
> Oh, and a little log message wether lxc-start detected apparmor or not
> and activates it would be _very_ helpfull :)

lsm_init() INFO()s which lsm backend was detected, and
apparmor_process_label_set() INFO()s which profile its setting so you
should see those in the log if your --logpriority is set accordingly.

> related question: dropping sys_admin cap for the container should
> render all the mount protections from apparmor unnecessary, right?
> 
> Regards,
>   Tom
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list