Hi, > upstream said[0] that this is not a bug in lxc, but in apparmor or the > kernel, thus > reassigning to apparmor. > [0] https://github.com/lxc/lxc/issues/235
There are two problems here: 1. According to John Goerzen's report upstream, lxc-start is confined, but apparently the container is not. That might be a bug in our apparmor package. John, may you please check if processes inside the container are confined (e.g. the shell from which you're writing to /proc/sys/fs/...)? 2. The container profiles (/etc/apparmor.d/lxc/lxc-default) shipped in the lxc package can't possibly work yet, as they all use mount rules, that are only available when using AppArmor 2.8.95 userspace, plus some out-of-tree kernel patches: that's why the Upstart job provided by upstream doesn't load these profiles unless /sys/kernel/security/apparmor/features/mount/mask exists. IMO that's clearly a bug in the lxc package, to ship stuff that depends on a version of another package that's not in Debian yet (in Ubuntu, lxc depends on apparmor (>= 2.8.95~2430-0ubuntu4), combined with out-of-tree kernel features that are not in Debian either. *But*, from a "let's get better AppArmor support in Debian" strategic PoV, I'd rather *not* see the maintainer of lxc in Debian drop the AppArmor support altogether: having it in makes it easier to experiment and improve things, e.g. for anyone who would want to test 2.8.95 + the minimal amount of out-of-tree Linux patches needed for mount mediation, if e.g. they were going to try and get these patches in the kernel we ship in Jessie. So, I'd rather not bother Daniel about this. Still, it would be great if the lxc Debian package did document these limitations. Given that Daniel is not interested in AppArmor, a bug report with a patch attached would seem to be the most sensible approach. Any taker? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
