[pkg-apparmor] Bug#988204: apparmor: AppArmor container behavior inappropriate under WSL

Alistair Young avatar at arkane-systems.net
Fri May 7 17:57:34 BST 2021 

Package: apparmor
Version: 2.13.6-10
Severity: normal
Tags: patch
X-Debbugs-Cc: avatar at arkane-systems.net

Dear Maintainer,

There is an issue with the apparmor package not functioning
appropriately when installed on Debian running under the Windows Subsystem
for Linux. Specifically, systemd-detect-virt detects WSL as a container,
technically accurately, but this then causes the apparmor.systemd script
to decline to start apparmor.

This is problematic, essentially, because while Debian-in-WSL is
technically a container, there is no accessible "host" above it that might
be setting AppArmor policies to be interfered with; just the WSL
distro-management foo. As such, in this case, it makes more sense to treat
Debian-in-WSL as a non-container for AppArmor purposes.

A patch to enable this follows:

--- apparmor.systemd.old        2021-05-07 11:54:24.786143397 -0500
+++ apparmor.systemd.new        2021-05-07 11:53:52.773126996 -0500
@@ -73,6 +73,7 @@
        start)
                if [ -x /usr/bin/systemd-detect-virt ] && \
                   systemd-detect-virt --quiet --container && \
+                   [ $(systemd-detect-virt --container) != "wsl" ] \
                   ! is_container_with_internal_policy; then
                        aa_log_daemon_msg "Not starting AppArmor in container"
                        aa_log_end_msg 0
@@ -88,6 +89,7 @@
        restart|reload|force-reload)
                if [ -x /usr/bin/systemd-detect-virt ] && \
                   systemd-detect-virt --quiet --container && \
+                   [ $(systemd-detect-virt --container) != "wsl" ] \
                   ! is_container_with_internal_policy; then
                        aa_log_daemon_msg "Not starting AppArmor in container"
                        aa_log_end_msg 0


-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.16.3-microsoft-custom-WSL2+ (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.76
ii  libc6                  2.31-12
ii  lsb-base               11.1.0

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles-extra  1.33
ii  apparmor-utils           2.13.6-10

-- debconf information excluded

-- debsums errors found:
debsums: changed file /lib/apparmor/apparmor.systemd (from apparmor package)

More information about the pkg-apparmor-team mailing list