[lxc-users] some questions about lxc with apparmor

Weng Meiling wengmeiling.weng at huawei.com
Mon Sep 15 01:40:28 UTC 2014


On 2014/9/12 22:22, Serge Hallyn wrote:
> Quoting Weng Meiling (wengmeiling.weng at huawei.com):
>> Hi guys,
>>
>> I want to use apparmor to do some limits on container, but I can't success.
>>
>> my environment:
>>
>> template: suse template
>>
>> lxc: 1.0.0.beta1  //build with apparmor enable
>>
>> apparmor:
>> # rpm -qa | grep apparmor
>> apparmor-dbus-2.3-3.22
>> libapparmor1-2.5.1.r1445-55.57.47
>> yast2-apparmor-2.17.12-0.5.73
>> perl-apparmor-2.5.1.r1445-55.57.47
>> apparmor-utils-2.5.1.r1445-55.57.47
>> apparmor-profile-editor-0.9.1-268.35
>> libapparmor1-32bit-2.5.1.r1445-55.57.47
>> apparmor-profiles-2.5.1.r1445-52.55.1
>> apparmor-admin_en-10.3-8.24.1
>> apparmor-docs-2.5.1.r1445-55.57.47
>> apparmor-parser-2.5.1.r1445-55.57.47
>> apparmorapplet-gnome-0.9-81.16.57
>> libapparmor-devel-2.5.1.r1445-55.57.47
>>
>> kernel:
>> upstream 3.4 kernel and 3.16 kernel
>>
>> # cat config | grep APPARMOR
>> CONFIG_SECURITY_APPARMOR=y
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_COMPAT_24=y
>> CONFIG_DEFAULT_SECURITY_APPARMOR=y
>>
>> # cat /sys/module/apparmor/parameters/enabled
>> Y
> 
> What does /sys/kernel/security/apparmor/features/mount/mask show?
> 

Thanks for quick reply!

the file content:

# cat /sys/kernel/security/apparmor/features/mount/mask
mount umount



> That depends on some new apparmor features still making their
> way upstream.  
> 
> The current behavior when these are missing is not right, but hasn't
> yet been fixed.  We should either fail the container startup, clearly
> warning the user that the full apparmor profile wouldn't have been
> enabled, or we should warn the user (which will likely get lost) and
> go ahead and load the apparmor profile.
> 
> Well, or better, we could scan the apparmor profile for features which
> would require the mount feature.  I'm not quite sure whether that's
> possible though.
> 
> -serge
> 
> .
> 




More information about the lxc-users mailing list