[pkg-apparmor] Fwd: Bug#898025: lxc: apparmor="DENIED" operation="mount" info="failed flags match" error=-13

intrigeri intrigeri at debian.org
Sun Jun 17 18:52:38 BST 2018


Control: tag -1 + upstream

Hi,

johnw:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898025

> Over the year, if I enable apparmor for lxc (lxc.aa_profile = lxc-container-default),
> I see a lot of "apparmor denied" messages like below,
> But the lxc itself is can running and functional without a problem,
> Why apparmor always complain lxc? (is this normal)?

First of all, disclaimer: I know extremely little about LXC and the
way it uses AppArmor confinement.

> apparmor="DENIED" operation="mount" info="failed type match"
> error=-13 profile="lxc-container-default" name="/sys/fs/pstore/"
> pid=2676 comm="mount" fstype="pstore" srcname="pstore"

FWIW I've looked at recent Ubuntu packages (2.0.8-0ubuntu1~16.04.1 and
3.0.1-0ubuntu1) and none of them have AppArmor rules for
/sys/fs/pstore.

It looks like an upstream bug to me because both Ubuntu and Debian have:
config/templates/ubuntu.common.conf.in:lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
… so it seems expected that the container will mount /sys/fs/pstore
and then a rule is missing.

> apparmor="DENIED" operation="mount" info="failed flags match"
> error=-13 profile="lxc-container-default" name="/" pid=2763
> comm="mount" flags="rw, remount"

I guess the "remount" flag is the problem. I guess it depends on what
LXC template you're using.

Cheers,
-- 
intrigeri



More information about the pkg-apparmor-team mailing list