[lxc-users] Using Apparmor on Debian

Urs Riggenbach magahugu at gmail.com
Thu Sep 3 09:18:48 UTC 2015 

Hi All,

I'm using LXC on debian 8 and would like to use apparmor to limit
container's access.

The shipped apparmor profiles are activated and enforced, and by default
the container should now be prohibited to start subcontainers of its own.

For some reason this is not the case.
I have now set "lxc.aa_profile = lxc-container-default" in container's
conf.

*output of # apparmor_status **:*
apparmor module is loaded.
48 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/lxc-start
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/libvirt/virt-aa-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/libvirtd
   lxc-container-default
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
35 profiles are in complain mode.
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
70 processes have profiles defined.
68 processes are in enforce mode.
   /usr/bin/lxc-start (2543)
   /usr/bin/lxc-start (2591)

...etc

   /usr/bin/lxc-start (19742)
   /usr/sbin/cups-browsed (1337)
   /usr/sbin/cupsd (1483)
   /usr/sbin/libvirtd (1339)
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (996)
   /usr/sbin/avahi-daemon (1076)
0 processes are unconfined but have a profile defined.

 
Best wishes,
Urs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150903/42b62e14/attachment.html>

More information about the lxc-users mailing list