Hi,
(I noticed this parser failure on the LXC profiles thanks to the red
line in `systemctl list-units' output here. It's unclear to me which
bug report is actually the one about the shipped profiles being buggy.
Sorry if that's not the right one.)
John Goerzen wrote (02 Jun 2014 02:49:40 GMT) :
> I did note that to at least solve the bug where it breaks AppArmor
> systemwide,
As I noted on a similar comment of yours on the lightdm-guest-session
profile, that also relies on bleeding edge AppArmor features that are
not supported in Debian yet, I cannot reproduce the "breaks AppArmor
systemwide" part. It *does* make the `apparmor' service fail to start:
# systemctl status apparmor
apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor)
Active: failed (Result: exit-code) since Thu 2014-06-05 11:22:35 CEST; 1s
ago
Process: 930 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)
... but in practice, it seems that all other, non-buggy profiles are
correctly loaded into the kernel, and applied to processes, so it's
not as bad as it looks like.
> you can comment out the three lines in every AppArmor file
> LXC delivers that lists dbus, signal, and ptrace (right after the
> comment saying to comment them out if the parser doesn't recognize
> them).
The attached patches fix the startup of the `apparmor' service, by
making the profiles shipped (and enabled by default) by the lxc
package compliant with the syntax supported by the AppArmor userspace
we currently ship in Debian.
I can't really tag this bug report "patch", given its super-broad
title, but please apply these patches to the lxc package in Debian.
They can be dropped once the AppArmor userspace is updated to support
these new features (#746764).
Disclaimer: I'm not using LXC myself (yet), so I did not test if
applying these patches result in an entirely working AppArmor support
in the lxc package. But at least, it removes one obvious stumbling
block. Also, I think that seeing a bit of progress on this front, and
making it clear that patches are welcome, may encourage interested
parties to further contribute to this support, hopefully :)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
diff --git a/apparmor.d/abstractions/lxc/container-base b/apparmor.d/abstractions/lxc/container-base
index c109baa..f3a215f 100644
--- a/apparmor.d/abstractions/lxc/container-base
+++ b/apparmor.d/abstractions/lxc/container-base
@@ -5,9 +5,9 @@
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
- dbus,
- signal,
- ptrace,
+ #dbus,
+ #signal,
+ #ptrace,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
diff --git a/apparmor.d/abstractions/lxc/start-container b/apparmor.d/abstractions/lxc/start-container
index e31f8f3..167e816 100644
--- a/apparmor.d/abstractions/lxc/start-container
+++ b/apparmor.d/abstractions/lxc/start-container
@@ -4,9 +4,9 @@
# The following 3 entries are only supported by recent apparmor versions.
# Comment them if the apparmor parser doesn't recognize them.
- dbus,
- signal,
- ptrace,
+ #dbus,
+ #signal,
+ #ptrace,
# currently blocked by apparmor bug
mount -> /usr/lib/*/lxc/{**,},
