[lxc-users] some questions about lxc with apparmor

Weng Meiling wengmeiling.weng at huawei.com
Tue Sep 16 01:25:26 UTC 2014


On 2014/9/16 6:17, Serge Hallyn wrote:
> Quoting Weng Meiling (wengmeiling.weng at huawei.com):
>> Hi guys,
>>
>> I want to use apparmor to do some limits on container, but I can't success.
>>
>> my environment:
>>
>> template: suse template
>>
>> lxc: 1.0.0.beta1  //build with apparmor enable
>>
>> apparmor:
>> # rpm -qa | grep apparmor
>> apparmor-dbus-2.3-3.22
>> libapparmor1-2.5.1.r1445-55.57.47
>> yast2-apparmor-2.17.12-0.5.73
>> perl-apparmor-2.5.1.r1445-55.57.47
>> apparmor-utils-2.5.1.r1445-55.57.47
>> apparmor-profile-editor-0.9.1-268.35
>> libapparmor1-32bit-2.5.1.r1445-55.57.47
>> apparmor-profiles-2.5.1.r1445-52.55.1
>> apparmor-admin_en-10.3-8.24.1
>> apparmor-docs-2.5.1.r1445-55.57.47
>> apparmor-parser-2.5.1.r1445-55.57.47
>> apparmorapplet-gnome-0.9-81.16.57
>> libapparmor-devel-2.5.1.r1445-55.57.47
>>
>> kernel:
>> upstream 3.4 kernel and 3.16 kernel
>>
>> # cat config | grep APPARMOR
>> CONFIG_SECURITY_APPARMOR=y
>> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_COMPAT_24=y
>> CONFIG_DEFAULT_SECURITY_APPARMOR=y
>>
>> # cat /sys/module/apparmor/parameters/enabled
>> Y
>>
>> but when I specify the apparmor profile with lxc.aa_profile, the container starts, but the profile is
>> not effective, with debug message I found the lsm drv always is nop. I found the comment "The nop driver
>> is used when LXC has compiled in support for AppArmor or SELinux but neither is enabled in the run time
>> environment."  Do not /sys/module/apparmor/parameters/enabled show apparmor enabled in the run time environment?
>>
>> and it's strange the lsm drv initialization in lsm_init() always return in the first check:
>>
>> __attribute__((constructor))
>> void lsm_init(void)
>> {
>> 	if (drv) {
>> 		INFO("LSM security driver %s", drv->name);
>> 		return;
>> 	}
>>
>> 	#if HAVE_APPARMOR
>> 	drv = lsm_apparmor_drv_init();
>> 	#endif
>> 	#if HAVE_SELINUX
>> 	if (!drv)
>> 		drv = lsm_selinux_drv_init();
>> 	#endif
>>
>> 	if (!drv)
>> 		drv = lsm_nop_drv_init();
>> 	INFO("Initialized LSM security driver %s", drv->name);
>> }
>>
>> but I didn't see any other places to initialize the drv. Who do the initialization?
>>
>> Then I change kernel to linux-apparmor v3.4-aa2.8 which with ubuntu apparmor patches,
>> although the lxc.aa_profile effect, the container started failed:
> 
> Sorry I'd missed this in your email earlier.  So that's why the mount features
> are enabled - good.
> 
>> # lxc-start -n wml -f config -o wml -l DEBUG
>> lxc-start: No such file or directory - failed to change exec apparmor profile to lxc-default
> 
> Are the apparmor profiles for lxc installed?  In particular you need:
> 
> /etc/apparmor.d/usr.bin.lxc-start
> /etc/apparmor.d/abstractions/lxc/container-base
> /etc/apparmor.d/abstractions/lxc/start-container
> /etc/apparmor.d/lxc/lxc-default
> 
> Ah, and then something needs to load those profiles - which probably is what
> isn't being done for you.  The ubuntu packages do that with the upstart
> job, which does:
> 
> /lib/init/apparmor-profile-load usr.bin.lxc-start
> /lib/init/apparmor-profile-load lxc-containers
> 
> Does that by chance fix it for you?
> 
I run the container in SUSE system, I had tied to use the apparmor profiles for lxc from ubuntu,
maybe missing the start-container file, I'll try it again. Thanks for your help! :)

>> lxc-start: invalid sequence number 1. expected 4
>> lxc-start: failed to spawn 'wml'
>>
>> Then I found the latest lxc code remove the aa_change_onexec(), so I change the code, but it's
>> still error:
>>
>> # lxc-start -n wml -f config -o wml -l DEBUG
>> lxc-start: No such file or directory - failed to change apparmor profile to lxc-default
>> lxc-start: invalid sequence number 1. expected 4
>> lxc-start: failed to spawn 'wml'
>>
>> Did I do anything wrong?  Do I must use ubuntu if I want use lxc with apparmor?
>> Any suggestion is appreciative. Thanks!
>>
>>
>>
>>
>>
> 
> .
> 




More information about the lxc-users mailing list