Isn't that "Not starting AppArmor in container" message just in:
/lib/apparmor/apparmor.systemd
-> /lib/apparmor/rc.apparmor.functions
-> function is_container_with_internal_policy()
That looks unchanged (except a comment) but it behaves differently:
root@testguest-apparmor-good:~# . /usr/lib/apparmor/rc.apparmor.functions
root@testguest-apparmor-good:~# is_container_with_internal_policy
root@testguest-apparmor-good:~# echo $?
0
root@testguest-apparmor-bad:~# . /usr/lib/apparmor/rc.apparmor.functions
root@testguest-apparmor-bad:~# is_container_with_internal_policy
root@testguest-apparmor-bad:~# echo $?
1
Looking into what happens in detail ...
good:
+ SFS_MOUNTPOINT=/sys/kernel/security/apparmor
+ local ns_stacked_path=/sys/kernel/security/apparmor/.ns_stacked
bad:
+ SFS_MOUNTPOINT=/sys/kernel/security/
+ local ns_stacked_path=/sys/kernel/security//.ns_stacked
Once we know that we can see that it is missing in the bad case
good:
root@testguest-apparmor-good:~# grep MODULE
/usr/lib/apparmor/rc.apparmor.functions
MODULE=apparmor
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
if [ -f "${SECURITYFS}/${MODULE}/profiles" ]; then
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
MODULE=apparmor
/sbin/modprobe -qr $MODULE
bad:
root@testguest-apparmor-bad:~# grep MODULE
/usr/lib/apparmor/rc.apparmor.functions
SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}"
So whatever took away the modprobe from
/usr/lib/apparmor/rc.apparmor.functions also removed the variable, but
that has broken function is_container_with_internal_policy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1895967
Title:
Apparmor 3.0.0 does not load profiles in containers anymore
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895967/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
