[lxc-users] some questions about lxc with apparmor

Weng Meiling wengmeiling.weng at huawei.com
Fri Sep 12 10:20:57 UTC 2014 

Hi guys,

I want to use apparmor to do some limits on container, but I can't success.

my environment:

template: suse template

lxc: 1.0.0.beta1  //build with apparmor enable

apparmor:
# rpm -qa | grep apparmor
apparmor-dbus-2.3-3.22
libapparmor1-2.5.1.r1445-55.57.47
yast2-apparmor-2.17.12-0.5.73
perl-apparmor-2.5.1.r1445-55.57.47
apparmor-utils-2.5.1.r1445-55.57.47
apparmor-profile-editor-0.9.1-268.35
libapparmor1-32bit-2.5.1.r1445-55.57.47
apparmor-profiles-2.5.1.r1445-52.55.1
apparmor-admin_en-10.3-8.24.1
apparmor-docs-2.5.1.r1445-55.57.47
apparmor-parser-2.5.1.r1445-55.57.47
apparmorapplet-gnome-0.9-81.16.57
libapparmor-devel-2.5.1.r1445-55.57.47

kernel:
upstream 3.4 kernel and 3.16 kernel

# cat config | grep APPARMOR
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_COMPAT_24=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y

# cat /sys/module/apparmor/parameters/enabled
Y

but when I specify the apparmor profile with lxc.aa_profile, the container starts, but the profile is
not effective, with debug message I found the lsm drv always is nop. I found the comment "The nop driver
is used when LXC has compiled in support for AppArmor or SELinux but neither is enabled in the run time
environment."  Do not /sys/module/apparmor/parameters/enabled show apparmor enabled in the run time environment?

and it's strange the lsm drv initialization in lsm_init() always return in the first check:

__attribute__((constructor))
void lsm_init(void)
{
	if (drv) {
		INFO("LSM security driver %s", drv->name);
		return;
	}

	#if HAVE_APPARMOR
	drv = lsm_apparmor_drv_init();
	#endif
	#if HAVE_SELINUX
	if (!drv)
		drv = lsm_selinux_drv_init();
	#endif

	if (!drv)
		drv = lsm_nop_drv_init();
	INFO("Initialized LSM security driver %s", drv->name);
}

but I didn't see any other places to initialize the drv. Who do the initialization?

Then I change kernel to linux-apparmor v3.4-aa2.8 which with ubuntu apparmor patches,
although the lxc.aa_profile effect, the container started failed:

# lxc-start -n wml -f config -o wml -l DEBUG
lxc-start: No such file or directory - failed to change exec apparmor profile to lxc-default
lxc-start: invalid sequence number 1. expected 4
lxc-start: failed to spawn 'wml'

Then I found the latest lxc code remove the aa_change_onexec(), so I change the code, but it's
still error:

# lxc-start -n wml -f config -o wml -l DEBUG
lxc-start: No such file or directory - failed to change apparmor profile to lxc-default
lxc-start: invalid sequence number 1. expected 4
lxc-start: failed to spawn 'wml'

Did I do anything wrong?  Do I must use ubuntu if I want use lxc with apparmor?
Any suggestion is appreciative. Thanks!

More information about the lxc-users mailing list