On 02/20/2015 08:29 AM, Devon B. wrote: > I'm trying to run AppArmor (2.9.1) against a custom upstream kernel > (3.18.7) but I'm unable to get mount restrictions working. > > According to: > http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Mount_rules_.28AppArmor_2.8_and_later.29, > mount rules should work since 2.8 but I don't see any reference to > kernel releases or options and the mount rules I have set in my profile > don't appear to be working. > Correct, the apparmor userspace since 2.8 support mounts restrictions but the kernel must also have support enabled.
> When starting LXC containers, I receive the error: > lxc-start: lsm/apparmor.c: apparmor_process_label_set: 169 If you really > want to start this container, set > lxc-start: lsm/apparmor.c: apparmor_process_label_set: 170 > lxc.aa_allow_incomplete = 1 > lxc-start: lsm/apparmor.c: apparmor_process_label_set: 171 in your > container configuration file > > Which I traced back to showing that the upstream kernel doesn't support > mount restrictions. > > Am I missing an option when configuring the kernel or are there any > patches available for mount restrictions? > The patchset to support mount restriction have not been submitted to upstream yet. If you would like I can point you at the patchset that is currently being used to add mount restrictions, however it is very large. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor