[lxc-users] some questions about lxc with apparmor

Serge Hallyn serge.hallyn at ubuntu.com
Mon Sep 15 22:17:44 UTC 2014


Quoting Weng Meiling (wengmeiling.weng at huawei.com):
> Hi guys,
> 
> I want to use apparmor to do some limits on container, but I can't success.
> 
> my environment:
> 
> template: suse template
> 
> lxc: 1.0.0.beta1  //build with apparmor enable
> 
> apparmor:
> # rpm -qa | grep apparmor
> apparmor-dbus-2.3-3.22
> libapparmor1-2.5.1.r1445-55.57.47
> yast2-apparmor-2.17.12-0.5.73
> perl-apparmor-2.5.1.r1445-55.57.47
> apparmor-utils-2.5.1.r1445-55.57.47
> apparmor-profile-editor-0.9.1-268.35
> libapparmor1-32bit-2.5.1.r1445-55.57.47
> apparmor-profiles-2.5.1.r1445-52.55.1
> apparmor-admin_en-10.3-8.24.1
> apparmor-docs-2.5.1.r1445-55.57.47
> apparmor-parser-2.5.1.r1445-55.57.47
> apparmorapplet-gnome-0.9-81.16.57
> libapparmor-devel-2.5.1.r1445-55.57.47
> 
> kernel:
> upstream 3.4 kernel and 3.16 kernel
> 
> # cat config | grep APPARMOR
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_APPARMOR_COMPAT_24=y
> CONFIG_DEFAULT_SECURITY_APPARMOR=y
> 
> # cat /sys/module/apparmor/parameters/enabled
> Y
> 
> but when I specify the apparmor profile with lxc.aa_profile, the container starts, but the profile is
> not effective, with debug message I found the lsm drv always is nop. I found the comment "The nop driver
> is used when LXC has compiled in support for AppArmor or SELinux but neither is enabled in the run time
> environment."  Do not /sys/module/apparmor/parameters/enabled show apparmor enabled in the run time environment?
> 
> and it's strange the lsm drv initialization in lsm_init() always return in the first check:
> 
> __attribute__((constructor))
> void lsm_init(void)
> {
> 	if (drv) {
> 		INFO("LSM security driver %s", drv->name);
> 		return;
> 	}
> 
> 	#if HAVE_APPARMOR
> 	drv = lsm_apparmor_drv_init();
> 	#endif
> 	#if HAVE_SELINUX
> 	if (!drv)
> 		drv = lsm_selinux_drv_init();
> 	#endif
> 
> 	if (!drv)
> 		drv = lsm_nop_drv_init();
> 	INFO("Initialized LSM security driver %s", drv->name);
> }
> 
> but I didn't see any other places to initialize the drv. Who do the initialization?
> 
> Then I change kernel to linux-apparmor v3.4-aa2.8 which with ubuntu apparmor patches,
> although the lxc.aa_profile effect, the container started failed:

Sorry I'd missed this in your email earlier.  So that's why the mount features
are enabled - good.

> # lxc-start -n wml -f config -o wml -l DEBUG
> lxc-start: No such file or directory - failed to change exec apparmor profile to lxc-default

Are the apparmor profiles for lxc installed?  In particular you need:

/etc/apparmor.d/usr.bin.lxc-start
/etc/apparmor.d/abstractions/lxc/container-base
/etc/apparmor.d/abstractions/lxc/start-container
/etc/apparmor.d/lxc/lxc-default

Ah, and then something needs to load those profiles - which probably is what
isn't being done for you.  The ubuntu packages do that with the upstart
job, which does:

/lib/init/apparmor-profile-load usr.bin.lxc-start
/lib/init/apparmor-profile-load lxc-containers

Does that by chance fix it for you?

> lxc-start: invalid sequence number 1. expected 4
> lxc-start: failed to spawn 'wml'
> 
> Then I found the latest lxc code remove the aa_change_onexec(), so I change the code, but it's
> still error:
> 
> # lxc-start -n wml -f config -o wml -l DEBUG
> lxc-start: No such file or directory - failed to change apparmor profile to lxc-default
> lxc-start: invalid sequence number 1. expected 4
> lxc-start: failed to spawn 'wml'
> 
> Did I do anything wrong?  Do I must use ubuntu if I want use lxc with apparmor?
> Any suggestion is appreciative. Thanks!
> 
> 
> 
> 
> 


More information about the lxc-users mailing list