[pkg-apparmor] Bug#880502: lxc: cannot start container with kernel 4.13.10

Evgeni Golov evgeni at debian.org
Thu Nov 2 19:09:21 UTC 2017


Hi,

On Thu, Nov 02, 2017 at 07:09:10PM +0100, Christian Boltz wrote:
> seeing the AppArmor denials would be helpful to get this fixed ;-)

I think the issue is different.

Looking at the LXC log, we see the following:
lxc-start 20171102130036.516 ERROR    lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:234 - No such file or directory - failed to change apparmor profile to lxc-container-default-cgns

And indeed, we see no profiles:
# aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

I think the issue is that when LXC is installed *before* AppArmor is
enabled, the postinst snippet generated by dh_apparmor [1] is not
registering any profiles. And now that AppArmor is enabled, the profile
is missing and cannot be applied.

This is just a theory, I did not have time to actually reproduce and try
it.

Evgeni

[1]
# Automatically added by dh_apparmor/2.11.1-2
aa_is_enabled() {
   if command aa-enabled >/dev/null 2>&1; then
      # apparmor >= 2.10.95-2
      aa-enabled --quiet 2>/dev/null
   else
      # apparmor << 2.10.95-2
      # (This should be removed once Debian Stretch and Ubuntu 18.04 are out.)
      rc=0
      aa-status --enabled 2>/dev/null || rc=$?
      [ "$rc" = 0 ] || [ "$rc" = 2 ]
   fi
}

if [ "$1" = "configure" ]; then
    APP_PROFILE="/etc/apparmor.d/usr.bin.lxc-start"
    if [ -f "$APP_PROFILE" ]; then
        # Add the local/ include
        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.lxc-start"

        test -e "$LOCAL_APP_PROFILE" || {
            tmp=`mktemp`
        cat <<EOM > "$tmp"
# Site-specific additions and overrides for usr.bin.lxc-start.
# For more details, please see /etc/apparmor.d/local/README.
EOM
            mkdir `dirname "$LOCAL_APP_PROFILE"` 2>/dev/null || true
            mv -f "$tmp" "$LOCAL_APP_PROFILE"
            chmod 644 "$LOCAL_APP_PROFILE"
        }

        # Reload the profile, including any abstraction updates
        if aa_is_enabled; then
            apparmor_parser -r -T -W "$APP_PROFILE" || true
        fi
    fi
fi
# End automatically added section




More information about the pkg-apparmor-team mailing list