[pkg-apparmor] AppArmor regression between Debian 9 and 10 when running inside LXC/LXD container

intrigeri intrigeri at debian.org
Tue Aug 18 09:54:35 BST 2020 

Hi Kostas,

Kostas Papadopoulos (2020-07-17):
> While AppArmor works fine inside on a Debian 9 container (vm01) running 
> on an Ubuntu 18.04 LXD 3.0.3 host, on a Debian 10 container (vm05) the 
> init script /etc/init.d/apparmor refuses to load any AppArmor profiles 
> ("apparmor.systemd[46]: Not starting AppArmor in container")

> *_Debian10 container (vm05) running under LXD 3.0.3 on a Ubuntu 18.04 
> host:_*
> [...]
> root at vm05:~# systemd-detect-virt --container
> lxc

So, I understand this means that is_container_with_internal_policy()
has exited with a non-zero return code.

To dive deeper, I'll need some help from you:

1. Please try applying the attached patch to
   /lib/apparmor/rc.apparmor.functions inside your Debian 10 container
   (we apply it on testing/sid already).

   If it fixes the problem for you, we can stop here,
   and I'll try to get this bugfix into Debian 10.6.

2. Please add "set -x" on top of /lib/apparmor/rc.apparmor.functions,
   and check share the output in the Journal, so we can understand
   more clearly what happens.

3. Check the AppArmor configuration of your Debian 10 container.

   On Debian 10 LXC hosts we use:

     lxc.apparmor.profile = generated
     lxc.apparmor.allow_nesting = 1

   … which makes AppArmor work inside LXC containers.

Elsewhere you pointed me to
https://discuss.linuxcontainers.org/t/problems-with-apparmor-in-a-debian-10-container-running-on-a-ubuntu-18-04-host-with-lxd-3-0-3/8446/7

I confirm we do have tweaks to our "init scripts to properly trigger
inside a container that uses apparmor namespacing". It would be nice
to compare with those used in Ubuntu. I can't trivially do this
since recent Ubuntu packaging for AppArmor was not pushed to our
shared Vcs-Git, and the recent merges from Debian were done via
synthetic commits that bypass Git merging logic, so the 2 branches now
have disjunct histories :/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: lp1824812.patch
Type: text/x-diff
Size: 1016 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200818/5d23b032/attachment.patch>

More information about the pkg-apparmor-team mailing list