[pkg-apparmor] AppArmor regression between Debian 9 and 10 when running inside LXC/LXD container
Kostas Papadopoulos
kpapad-bugs at travelguide.gr
Fri Jul 17 19:24:30 BST 2020
Dear maintainers,
While AppArmor works fine inside on a Debian 9 container (vm01) running
on an Ubuntu 18.04 LXD 3.0.3 host, on a Debian 10 container (vm05) the
init script /etc/init.d/apparmor refuses to load any AppArmor profiles
("apparmor.systemd[46]: Not starting AppArmor in container")
*_Debian10 container (vm05) running under LXD 3.0.3 on a Ubuntu 18.04
host:_*
root at vm05:~# cat /etc/debian_version
10.4
root at vm05:~# dpkg -l|fgrep apparm
ii apparmor 2.13.2-10 amd64 user-space
parser utility for AppArmor
ii apparmor-profiles 2.13.2-10 all
experimental profiles for AppArmor security policies
ii libapparmor1:amd64 2.13.2-10 amd64 changehat
AppArmor library
root at vm05:~# apparmor_status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
root at vm05:~# systemd-detect-virt --container
lxc
root at vm05:~#
root at vm05:~# systemctl status apparmor.service
● apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled;
vendor preset: enabled)
Active: active (exited) since Thu 2020-07-16 04:36:14 EEST; 1 day
16h ago
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
Main PID: 46 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/apparmor.service
Jul 16 04:36:14 vm05.mydomain.tld systemd[1]: Starting Load AppArmor
profiles...
Jul 16 04:36:14 vm05.mydomain.tld apparmor.systemd[46]: Not starting
AppArmor in container
Jul 16 04:36:14 vm05.mydomain.tld systemd[1]: Started Load AppArmor
profiles.
root at vm05:~#
*_Debian9 container (vm01) running under LXD 3.0.3 on a Ubuntu 18.04 host:_*
root at vm01:~# cat /etc/debian_version
9.12
root at vm01:~# dpkg -l|fgrep apparm
ii apparmor 2.11.0-3+deb9u2 amd64
user-space parser utility for AppArmor
ii apparmor-profiles 2.11.0-3+deb9u2 all
profiles for AppArmor Security policies
ii libapparmor-perl 2.11.0-3+deb9u2 amd64
AppArmor library Perl bindings
ii libapparmor1:amd64 2.11.0-3+deb9u2 amd64
changehat AppArmor library
root at vm01:~# apparmor_status
apparmor module is loaded.
35 profiles are loaded.
2 profiles are in enforce mode.
/usr/bin/freshclam
/usr/sbin/named
33 profiles are in complain mode.
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/smbldap-useradd
/usr/sbin/smbldap-useradd///etc/init.d/nscd
/usr/{sbin/traceroute,bin/traceroute.db}
klogd
ping
syslog-ng
syslogd
5 processes have profiles defined.
1 processes are in enforce mode.
/usr/bin/freshclam (314)
4 processes are in complain mode.
/usr/lib/dovecot/anvil (370)
/usr/lib/dovecot/config (373)
/usr/lib/dovecot/log (371)
/usr/sbin/dovecot (368)
0 processes are unconfined but have a profile defined.
root at vm01:~#
root at vm01:~# systemd-detect-virt --container
lxc
root at vm01:~#
Thank you in advance for looking into it,
KP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200717/67a26c39/attachment.html>
More information about the pkg-apparmor-team
mailing list