[pkg-apparmor] AppArmor regression between Debian 9 and 10 when running inside LXC/LXD container
Kostas Papadopoulos
kpapad-bugs at travelguide.gr
Thu Aug 20 02:06:54 BST 2020
On 18/8/20 11:54 π.μ., intrigeri wrote:
> Hi Kostas,
>
> Kostas Papadopoulos (2020-07-17):
>> While AppArmor works fine inside on a Debian 9 container (vm01) running
>> on an Ubuntu 18.04 LXD 3.0.3 host, on a Debian 10 container (vm05) the
>> init script /etc/init.d/apparmor refuses to load any AppArmor profiles
>> ("apparmor.systemd[46]: Not starting AppArmor in container")
>> *_Debian10 container (vm05) running under LXD 3.0.3 on a Ubuntu 18.04
>> host:_*
>> [...]
>> root at vm05:~# systemd-detect-virt --container
>> lxc
> So, I understand this means that is_container_with_internal_policy()
> has exited with a non-zero return code.
>
> To dive deeper, I'll need some help from you:
>
> 1. Please try applying the attached patch to
> /lib/apparmor/rc.apparmor.functions inside your Debian 10 container
> (we apply it on testing/sid already).
>
> If it fixes the problem for you, we can stop here,
> and I'll try to get this bugfix into Debian 10.6.
Hi,
Indeed after applying the patch and rebooting, the Debian 10.5 CT (vm05)
loaded the AppArmor profiles. However 2 of the services (Bind9 and
ClamAV) failed:
root at vm05:~# shutdown -r now
$ lxc exec vm05 sudo -- --user root --login
root at vm05:~# apparmor_status
apparmor module is loaded.
20 profiles are loaded.
5 profiles are in enforce mode.
/usr/bin/freshclam
/usr/sbin/clamd
/usr/sbin/named
nvidia_modprobe
nvidia_modprobe//kmod
15 profiles are in complain mode.
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
avahi-daemon
identd
klogd
mdnsd
nmbd
nscd
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/bin/freshclam (617)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
root at vm05:~# cat /etc/debian_version
10.5
root at vm05:~#
root at vm05:~# systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled;
vendor preset: enabled)
Active: active (exited) since Thu 2020-08-20 03:30:10 EEST; 4min 40s ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Process: 47 ExecStart=/lib/apparmor/apparmor.systemd reload
(code=exited, status=0/SUCCESS)
Main PID: 47 (code=exited, status=0/SUCCESS)
Aug 20 03:30:09 vm05.mydomain.tld systemd[1]: Starting Load AppArmor
profiles...
Aug 20 03:30:10 vm05.mydomain.tld apparmor.systemd[47]: Restarting AppArmor
Aug 20 03:30:10 vm05.mydomain.tld apparmor.systemd[47]: Reloading
AppArmor profiles
Aug 20 03:30:10 vm05.mydomain.tld systemd[1]: Started Load AppArmor
profiles.
root at vm05:~#
root at vm05:~# systemctl list-units --state=failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● sys-kernel-config.mount loaded failed failed Kernel
Configuration File System
● bind9.service loaded failed failed BIND Domain Name
Server
● clamav-daemon.service loaded failed failed Clam AntiVirus
userspace daemon
● systemd-journald-audit.socket loaded failed failed Journal Audit Socket
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
4 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
root at vm05:~#
root at vm05:~# dpkg -l|fgrep apparm
ii apparmor 2.13.2-10 amd64 user-space parser utility for AppArmor
ii apparmor-profiles 2.13.2-10 all experimental profiles for
AppArmor security policies
ii libapparmor1:amd64 2.13.2-10 amd64 changehat AppArmor library
root at vm05:~#
So I will still have to troubleshoot why the Bind9 and ClamAV services
won't start now, after successfully loading the default Debian 10
AppArmor profiles (note: the other two services kernel-config and
journald-audit don't load inside any LXC CT).
>
> 2. Please add "set -x" on top of /lib/apparmor/rc.apparmor.functions,
> and check share the output in the Journal, so we can understand
> more clearly what happens.
>
> 3. Check the AppArmor configuration of your Debian 10 container.
>
> On Debian 10 LXC hosts we use:
>
> lxc.apparmor.profile = generated
> lxc.apparmor.allow_nesting = 1
>
> … which makes AppArmor work inside LXC containers.
According to stgraber (one of the developers of LXD/LXC), "nesting" is
not required for AppArmor to work under LXD (see his post in the
discussion at URL below)
>
> Elsewhere you pointed me to
> https://discuss.linuxcontainers.org/t/problems-with-apparmor-in-a-debian-10-container-running-on-a-ubuntu-18-04-host-with-lxd-3-0-3/8446/7
>
> I confirm we do have tweaks to our "init scripts to properly trigger
> inside a container that uses apparmor namespacing". It would be nice
> to compare with those used in Ubuntu. I can't trivially do this
> since recent Ubuntu packaging for AppArmor was not pushed to our
> shared Vcs-Git, and the recent merges from Debian were done via
> synthetic commits that bypass Git merging logic, so the 2 branches now
> have disjunct histories :/
>
>
Thank you,
KP.
PS: Below is the dmesg | fgrep apparmor output:
[48319088.301156] audit: type=1400 audit(1597883408.556:98325):
apparmor="STATUS" operation="profile_remove" profile="unconfined"
name="lxd-vm05_</var/lib/lxd>" pid=5196 comm="apparmor_parser"
[48319088.811358] audit: type=1400 audit(1597883409.064:98326):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="lxd-vm05_</var/lib/lxd>" pid=5253 comm="apparmor_parser"
[48319089.876741] audit: type=1400 audit(1597883410.132:98327):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="klogd" pid=5497 comm="apparmor_parser"
[48319089.915252] audit: type=1400 audit(1597883410.168:98328):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="mdnsd" pid=5505 comm="apparmor_parser"
[48319089.915437] audit: type=1400 audit(1597883410.168:98329):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="traceroute" pid=5501 comm="apparmor_parser"
[48319089.915510] audit: type=1400 audit(1597883410.168:98330):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="nscd" pid=5502 comm="apparmor_parser"
[48319089.916409] audit: type=1400 audit(1597883410.172:98331):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="nmbd" pid=5499 comm="apparmor_parser"
[48319089.916476] audit: type=1400 audit(1597883410.172:98332):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="/usr/sbin/clamd" pid=5498 comm="apparmor_parser"
[48319089.916519] audit: type=1400 audit(1597883410.172:98333):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="syslog-ng" pid=5503 comm="apparmor_parser"
[48319089.916860] audit: type=1400 audit(1597883410.172:98334):
apparmor="STATUS" operation="profile_load"
label="lxd-vm05_</var/lib/lxd>//&:lxd-vm05_<var-lib-lxd>:unconfined"
name="/usr/sbin/dnsmasq" pid=5496 comm="apparmor_parser"
[48319096.188571] audit: type=1400 audit(1597883416.444:98352):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.217771] audit: type=1400 audit(1597883416.472:98353):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.217775] audit: type=1400 audit(1597883416.472:98354):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.218071] audit: type=1400 audit(1597883416.472:98355):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.218074] audit: type=1400 audit(1597883416.472:98356):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.218579] audit: type=1400 audit(1597883416.472:98357):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6620 comm="named" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.224650] audit: type=1400 audit(1597883416.480:98358):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6699 comm="named" family="unix" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.224662] audit: type=1400 audit(1597883416.480:98359):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6699 comm="named" family="unix" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.224669] audit: type=1400 audit(1597883416.480:98360):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6699 comm="named" family="unix" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319096.224687] audit: type=1400 audit(1597883416.480:98361):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
pid=6699 comm="named" family="unix" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319101.480354] audit: type=1400 audit(1597883421.736:98396):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319101.480358] audit: type=1400 audit(1597883421.736:98397):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319106.484101] audit: type=1400 audit(1597883426.736:98398):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319106.484105] audit: type=1400 audit(1597883426.736:98399):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319111.488376] audit: type=1400 audit(1597883431.744:98400):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319111.488380] audit: type=1400 audit(1597883431.744:98401):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319112.643597] audit: type=1400 audit(1597883432.896:98402):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/clamd"
pid=5646 comm="clamd" family="unix" sock_type="stream" protocol=0
requested_mask="create" denied_mask="create" addr=none
[48319116.492029] audit: type=1400 audit(1597883436.744:98403):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319116.492034] audit: type=1400 audit(1597883436.744:98404):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319116.493532] audit: type=1400 audit(1597883436.748:98405):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319116.493548] audit: type=1400 audit(1597883436.748:98406):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319121.494193] audit: type=1400 audit(1597883441.748:98407):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319121.494197] audit: type=1400 audit(1597883441.748:98408):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319126.497797] audit: type=1400 audit(1597883446.752:98409):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319126.497802] audit: type=1400 audit(1597883446.752:98410):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319131.502359] audit: type=1400 audit(1597883451.756:98411):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319131.502363] audit: type=1400 audit(1597883451.756:98412):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319136.506969] audit: type=1400 audit(1597883456.760:98413):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319136.506974] audit: type=1400 audit(1597883456.760:98414):
apparmor="DENIED" operation="create"
namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
requested_mask="create" denied_mask="create"
[48319651.890753] audit: type=1400 audit(1597883972.144:98415):
apparmor="DENIED" operation="mount" info="failed flags match" error=-13
profile="lxd-srv01_</var/lib/lxd>" name="/home/" pid=13048
comm="(ionclean)" flags="ro, nosuid, nodev, remount, bind"
root at vm05:~#
More information about the pkg-apparmor-team
mailing list