<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear maintainers,</p>
<p>While AppArmor works fine inside on a Debian 9 container (vm01)
running on an Ubuntu 18.04 LXD 3.0.3 host, on a Debian 10
container (vm05) the init script /etc/init.d/apparmor refuses to
load any AppArmor profiles ("<tt>apparmor.systemd[46]: Not
starting AppArmor in container")</tt></p>
<p><b><u>Debian10 container (vm05) running under LXD 3.0.3 on a
Ubuntu 18.04 host:</u></b></p>
<p><tt>root@vm05:~# cat /etc/debian_version </tt><tt><br>
</tt><tt>10.4</tt><tt><br>
</tt><tt>root@vm05:~# dpkg -l|fgrep apparm</tt><tt><br>
</tt><tt>ii apparmor 2.13.2-10
amd64 user-space parser utility for AppArmor</tt><tt><br>
</tt><tt>ii apparmor-profiles 2.13.2-10
all experimental profiles for AppArmor security
policies</tt><tt><br>
</tt><tt>ii libapparmor1:amd64 2.13.2-10
amd64 changehat AppArmor library</tt><tt><br>
</tt><tt>root@vm05:~# apparmor_status </tt><tt><br>
</tt><tt>apparmor module is loaded.</tt><tt><br>
</tt><tt>0 profiles are loaded.</tt><tt><br>
</tt><tt>0 profiles are in enforce mode.</tt><tt><br>
</tt><tt>0 profiles are in complain mode.</tt><tt><br>
</tt><tt>0 processes have profiles defined.</tt><tt><br>
</tt><tt>0 processes are in enforce mode.</tt><tt><br>
</tt><tt>0 processes are in complain mode.</tt><tt><br>
</tt><tt>0 processes are unconfined but have a profile defined.</tt><tt><br>
</tt><tt>root@vm05:~# systemd-detect-virt --container</tt><tt><br>
</tt><tt>lxc</tt><tt><br>
</tt><tt>root@vm05:~#</tt></p>
<p><tt> </tt><tt>root@vm05:~# systemctl status apparmor.service<br>
● apparmor.service - Load AppArmor profiles<br>
Loaded: loaded (/lib/systemd/system/apparmor.service;
enabled; vendor preset: enabled)<br>
Active: active (exited) since Thu 2020-07-16 04:36:14 EEST; 1
day 16h ago<br>
Docs: man:apparmor(7)<br>
<a class="moz-txt-link-freetext" href="https://gitlab.com/apparmor/apparmor/wikis/home/">https://gitlab.com/apparmor/apparmor/wikis/home/</a><br>
Main PID: 46 (code=exited, status=0/SUCCESS)<br>
Tasks: 0 (limit: 4915)<br>
Memory: 0B<br>
CGroup: /system.slice/apparmor.service<br>
<br>
Jul 16 04:36:14 vm05.mydomain.tld systemd[1]: Starting Load
AppArmor profiles...<br>
Jul 16 04:36:14 vm05.mydomain.tld apparmor.systemd[46]: Not
starting AppArmor in container<br>
Jul 16 04:36:14 vm05.mydomain.tld systemd[1]: Started Load
AppArmor profiles.<br>
root@vm05:~# <br>
<br>
</tt><br>
</p>
<p><b><u>Debian9 container (vm01) running under LXD 3.0.3 on a
Ubuntu 18.04 host:</u></b><br>
</p>
<p><tt>root@vm01:~# cat /etc/debian_version </tt><tt><br>
</tt><tt>9.12</tt><tt><br>
</tt><tt>root@vm01:~# dpkg -l|fgrep apparm</tt><tt><br>
</tt><tt>ii apparmor 2.11.0-3+deb9u2
amd64 user-space parser utility for AppArmor</tt><tt><br>
</tt><tt>ii apparmor-profiles 2.11.0-3+deb9u2
all profiles for AppArmor Security policies</tt><tt><br>
</tt><tt>ii libapparmor-perl 2.11.0-3+deb9u2
amd64 AppArmor library Perl bindings</tt><tt><br>
</tt><tt>ii libapparmor1:amd64 2.11.0-3+deb9u2
amd64 changehat AppArmor library</tt><tt><br>
</tt><tt>root@vm01:~# apparmor_status </tt><tt><br>
</tt><tt>apparmor module is loaded.</tt><tt><br>
</tt><tt>35 profiles are loaded.</tt><tt><br>
</tt><tt>2 profiles are in enforce mode.</tt><tt><br>
</tt><tt> /usr/bin/freshclam</tt><tt><br>
</tt><tt> /usr/sbin/named</tt><tt><br>
</tt><tt>33 profiles are in complain mode.</tt><tt><br>
</tt><tt> /usr/lib/dovecot/anvil</tt><tt><br>
</tt><tt> /usr/lib/dovecot/auth</tt><tt><br>
</tt><tt> /usr/lib/dovecot/config</tt><tt><br>
</tt><tt> /usr/lib/dovecot/deliver</tt><tt><br>
</tt><tt> /usr/lib/dovecot/dict</tt><tt><br>
</tt><tt> /usr/lib/dovecot/dovecot-auth</tt><tt><br>
</tt><tt> /usr/lib/dovecot/dovecot-lda</tt><tt><br>
</tt><tt> /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail</tt><tt><br>
</tt><tt> /usr/lib/dovecot/imap</tt><tt><br>
</tt><tt> /usr/lib/dovecot/imap-login</tt><tt><br>
</tt><tt> /usr/lib/dovecot/lmtp</tt><tt><br>
</tt><tt> /usr/lib/dovecot/log</tt><tt><br>
</tt><tt> /usr/lib/dovecot/managesieve</tt><tt><br>
</tt><tt> /usr/lib/dovecot/managesieve-login</tt><tt><br>
</tt><tt> /usr/lib/dovecot/pop3</tt><tt><br>
</tt><tt> /usr/lib/dovecot/pop3-login</tt><tt><br>
</tt><tt> /usr/lib/dovecot/ssl-params</tt><tt><br>
</tt><tt> /usr/sbin/avahi-daemon</tt><tt><br>
</tt><tt> /usr/sbin/dnsmasq</tt><tt><br>
</tt><tt> /usr/sbin/dnsmasq//libvirt_leaseshelper</tt><tt><br>
</tt><tt> /usr/sbin/dovecot</tt><tt><br>
</tt><tt> /usr/sbin/identd</tt><tt><br>
</tt><tt> /usr/sbin/mdnsd</tt><tt><br>
</tt><tt> /usr/sbin/nmbd</tt><tt><br>
</tt><tt> /usr/sbin/nscd</tt><tt><br>
</tt><tt> /usr/sbin/smbd</tt><tt><br>
</tt><tt> /usr/sbin/smbldap-useradd</tt><tt><br>
</tt><tt> /usr/sbin/smbldap-useradd///etc/init.d/nscd</tt><tt><br>
</tt><tt> /usr/{sbin/traceroute,bin/traceroute.db}</tt><tt><br>
</tt><tt> klogd</tt><tt><br>
</tt><tt> ping</tt><tt><br>
</tt><tt> syslog-ng</tt><tt><br>
</tt><tt> syslogd</tt><tt><br>
</tt><tt>5 processes have profiles defined.</tt><tt><br>
</tt><tt>1 processes are in enforce mode.</tt><tt><br>
</tt><tt> /usr/bin/freshclam (314) </tt><tt><br>
</tt><tt>4 processes are in complain mode.</tt><tt><br>
</tt><tt> /usr/lib/dovecot/anvil (370) </tt><tt><br>
</tt><tt> /usr/lib/dovecot/config (373) </tt><tt><br>
</tt><tt> /usr/lib/dovecot/log (371) </tt><tt><br>
</tt><tt> /usr/sbin/dovecot (368) </tt><tt><br>
</tt><tt>0 processes are unconfined but have a profile defined.</tt><tt><br>
</tt><tt>root@vm01:~#</tt><tt><br>
</tt><tt>root@vm01:~# systemd-detect-virt --container</tt><tt><br>
</tt><tt>lxc</tt><tt><br>
</tt><tt>root@vm01:~# </tt><br>
</p>
<p><br>
</p>
<p>Thank you in advance for looking into it,</p>
<p>KP<br>
</p>
</body>
</html>