On Tue, 05 Aug 2014 13:53:58 +0200 Tom Weber <l_lxc-us...@mail2news.4t2.com> wrote:
> Hello, > > my setup: > debian7 > lxc-1.0.4 from debian testing > vanilla kernel.org kernel 3.14.14 > > i'm new to lxc and apparmor, so this took me a couple of hours to > figure: > lxc-start won't assign an apparmor-profile to a container since it's > test for apparmor will always fail on my setup: > in src/lxc/lsm/apparmor: > the apparmor_enabled() tests for AA_MOUNT_RESTR > (/sys/kernel/security/apparmor/features/mount/mask) first, which will > never exist without that apparmor mount patch in the kernel. > > commenting out that test gives me apparmor functionality (except for > that mount feature of course). > > Is that intentional or just an ancient relict? > I'd prefer to have apparmor profile support without mount restrictions > over no apparmor profile support at all. apparmor gives me warnings > like: > > Warning from /etc/apparmor.d/lxc-containers > (/etc/apparmor.d/lxc-containers line 8): profile > lxc-container-default mount rules not enforced > > when starting up, which is what I expect and something I can deal with > as admin. I think lxc-start should activate the requested profile > anyway. > > Oh, and a little log message wether lxc-start detected apparmor or not > and activates it would be _very_ helpfull :) lsm_init() INFO()s which lsm backend was detected, and apparmor_process_label_set() INFO()s which profile its setting so you should see those in the log if your --logpriority is set accordingly. > related question: dropping sys_admin cap for the container should > render all the mount protections from apparmor unnecessary, right? > > Regards, > Tom > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users