[lxc-users] some questions about lxc with apparmor

Serge Hallyn serge.hallyn at ubuntu.com
Fri Sep 12 14:22:58 UTC 2014


Quoting Weng Meiling (wengmeiling.weng at huawei.com):
> Hi guys,
> 
> I want to use apparmor to do some limits on container, but I can't success.
> 
> my environment:
> 
> template: suse template
> 
> lxc: 1.0.0.beta1  //build with apparmor enable
> 
> apparmor:
> # rpm -qa | grep apparmor
> apparmor-dbus-2.3-3.22
> libapparmor1-2.5.1.r1445-55.57.47
> yast2-apparmor-2.17.12-0.5.73
> perl-apparmor-2.5.1.r1445-55.57.47
> apparmor-utils-2.5.1.r1445-55.57.47
> apparmor-profile-editor-0.9.1-268.35
> libapparmor1-32bit-2.5.1.r1445-55.57.47
> apparmor-profiles-2.5.1.r1445-52.55.1
> apparmor-admin_en-10.3-8.24.1
> apparmor-docs-2.5.1.r1445-55.57.47
> apparmor-parser-2.5.1.r1445-55.57.47
> apparmorapplet-gnome-0.9-81.16.57
> libapparmor-devel-2.5.1.r1445-55.57.47
> 
> kernel:
> upstream 3.4 kernel and 3.16 kernel
> 
> # cat config | grep APPARMOR
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_APPARMOR_COMPAT_24=y
> CONFIG_DEFAULT_SECURITY_APPARMOR=y
> 
> # cat /sys/module/apparmor/parameters/enabled
> Y

What does /sys/kernel/security/apparmor/features/mount/mask show?

That depends on some new apparmor features still making their
way upstream.  

The current behavior when these are missing is not right, but hasn't
yet been fixed.  We should either fail the container startup, clearly
warning the user that the full apparmor profile wouldn't have been
enabled, or we should warn the user (which will likely get lost) and
go ahead and load the apparmor profile.

Well, or better, we could scan the apparmor profile for features which
would require the mount feature.  I'm not quite sure whether that's
possible though.

-serge


More information about the lxc-users mailing list