[lxc-users] lxc-start fails at apparmor detection
Dwight Engen
dwight.engen at oracle.com
Thu Aug 7 21:23:28 UTC 2014
On Tue, 05 Aug 2014 13:53:58 +0200
Tom Weber <l_lxc-users at mail2news.4t2.com> wrote:
> Hello,
>
> my setup:
> debian7
> lxc-1.0.4 from debian testing
> vanilla kernel.org kernel 3.14.14
>
> i'm new to lxc and apparmor, so this took me a couple of hours to
> figure:
> lxc-start won't assign an apparmor-profile to a container since it's
> test for apparmor will always fail on my setup:
> in src/lxc/lsm/apparmor:
> the apparmor_enabled() tests for AA_MOUNT_RESTR
> (/sys/kernel/security/apparmor/features/mount/mask) first, which will
> never exist without that apparmor mount patch in the kernel.
>
> commenting out that test gives me apparmor functionality (except for
> that mount feature of course).
>
> Is that intentional or just an ancient relict?
> I'd prefer to have apparmor profile support without mount restrictions
> over no apparmor profile support at all. apparmor gives me warnings
> like:
>
> Warning from /etc/apparmor.d/lxc-containers
> (/etc/apparmor.d/lxc-containers line 8): profile
> lxc-container-default mount rules not enforced
>
> when starting up, which is what I expect and something I can deal with
> as admin. I think lxc-start should activate the requested profile
> anyway.
>
> Oh, and a little log message wether lxc-start detected apparmor or not
> and activates it would be _very_ helpfull :)
lsm_init() INFO()s which lsm backend was detected, and
apparmor_process_label_set() INFO()s which profile its setting so you
should see those in the log if your --logpriority is set accordingly.
> related question: dropping sys_admin cap for the container should
> render all the mount protections from apparmor unnecessary, right?
>
> Regards,
> Tom
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list