[pkg-apparmor] AppArmor regression between Debian 9 and 10 when running inside LXC/LXD container

intrigeri intrigeri at debian.org
Fri Aug 21 11:16:40 BST 2020 

Hi,

Kostas Papadopoulos (2020-08-20):
> Indeed after applying the patch and rebooting, the Debian 10.5 CT (vm05) 
> loaded the AppArmor profiles. However 2 of the services (Bind9 and 
> ClamAV) failed:

Thank you. 

> [48319096.188571] audit: type=1400 audit(1597883416.444:98352): 
> apparmor="DENIED" operation="create" 
> namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named" 
> pid=6620 comm="named" family="unix" sock_type="dgram" protocol=0 
> requested_mask="create" denied_mask="create" addr=none
> [48319101.480354] audit: type=1400 audit(1597883421.736:98396): 
> apparmor="DENIED" operation="create" 
> namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam" 
> pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0 
> requested_mask="create" denied_mask="create"

I believe those are caused by one of:

(A) The named and clamd/freshclam profiles in Buster lacking some
    rules; these profiles are not maintained by the AppArmor team and
    I did not check.

(B) A mismatch between:

     - the Ubuntu kernel you're running, that supports fine-grained
       network rules;

     - the set of features your Debian 10 container restricts compiled
       policy to (/usr/share/apparmor-features/features).

    I've never tried this combination myself. To check this
    hypothesis, you could try deleting
    /usr/share/apparmor-features/features in the Debian 10 container,
    restarting it, and see what happens.

I'd like to know which one it is before I think more about the "patch
AppArmor in a Buster point release" option: if enabling AppArmor
inside Debian Buster LXC containers breaks services, then this does
not look like a reasonable change to apply in a stable point-release.

Ideally, someone would check what happens in this scenario: "Debian 10
container with the proposed patch applied, running on a Debian 10
host". For avoidance of doubt, I'm not committing personally to do that.

Cheers!

More information about the pkg-apparmor-team mailing list