[pkg-apparmor] AppArmor regression between Debian 9 and 10 when running inside LXC/LXD container
intrigeri
intrigeri at debian.org
Fri Aug 21 11:16:40 BST 2020
Hi,
Kostas Papadopoulos (2020-08-20):
> Indeed after applying the patch and rebooting, the Debian 10.5 CT (vm05)
> loaded the AppArmor profiles. However 2 of the services (Bind9 and
> ClamAV) failed:
Thank you.
> [48319096.188571] audit: type=1400 audit(1597883416.444:98352):
> apparmor="DENIED" operation="create"
> namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/sbin/named"
> pid=6620 comm="named" family="unix" sock_type="dgram" protocol=0
> requested_mask="create" denied_mask="create" addr=none
> [48319101.480354] audit: type=1400 audit(1597883421.736:98396):
> apparmor="DENIED" operation="create"
> namespace="root//lxd-vm05_<var-lib-lxd>" profile="/usr/bin/freshclam"
> pid=6606 comm="freshclam" family="inet" sock_type="dgram" protocol=0
> requested_mask="create" denied_mask="create"
I believe those are caused by one of:
(A) The named and clamd/freshclam profiles in Buster lacking some
rules; these profiles are not maintained by the AppArmor team and
I did not check.
(B) A mismatch between:
- the Ubuntu kernel you're running, that supports fine-grained
network rules;
- the set of features your Debian 10 container restricts compiled
policy to (/usr/share/apparmor-features/features).
I've never tried this combination myself. To check this
hypothesis, you could try deleting
/usr/share/apparmor-features/features in the Debian 10 container,
restarting it, and see what happens.
I'd like to know which one it is before I think more about the "patch
AppArmor in a Buster point release" option: if enabling AppArmor
inside Debian Buster LXC containers breaks services, then this does
not look like a reasonable change to apply in a stable point-release.
Ideally, someone would check what happens in this scenario: "Debian 10
container with the proposed patch applied, running on a Debian 10
host". For avoidance of doubt, I'm not committing personally to do that.
Cheers!
More information about the pkg-apparmor-team
mailing list