[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

intrigeri at debian.org intrigeri at debian.org
Sun Dec 16 19:22:05 GMT 2018 

Package: lxc
Version: 1:3.0.3-1
Severity: normal
Tags: patch
X-Debbugs-Cc: Michael Biebl <biebl at debian.org>, Wolfgang Bumiller <w.bumiller at proxmox.com>
User: pkg-apparmor-team at lists.alioth.debian.org
Usertags: buggy-profile

Hi,

as discussed on https://bugs.debian.org/911806 the current LXC
AppArmor support breaks systemd v240, which now refuses to start units
if it can't set up various sandboxing features, while previously it
would merely start the units without the configured sandboxing.
Michael Biebl originally reported this failure in the context of the
systemd autopkgtests but I expect the same problem will affect regular
full-system containers as well.

Testing confirms that this problem is fixed by backporting 3 commits
(e6ec0a9, e7311a84 and 1800f92) from LXC 3.1.0. I'm attaching the
resulting backported patches. Credit goes to Wolfgang Bumiller who did
the work upstream and to Michael Biebl who reported the problem in
great details.

If Buster is going to be released with LXC 3.0.x, IMO we need to
either apply these patches or disable AppArmor by default for new LXC
containers. And if we're going to ship with LXC 3.1.0 or newer, then
feel free to disregard this request and close this bug with the first
upload of LXC 3.1.0+ :)

Cheers,
-- 
intrigeri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-apparmor-profile-generation.patch
Type: text/x-diff
Size: 51059 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20181216/2d1aeadf/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-tests-add-test-for-generated-apparmor-profiles.patch
Type: text/x-diff
Size: 4074 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20181216/2d1aeadf/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-apparmor-allow-various-remount-bind-options.patch
Type: text/x-diff
Size: 4656 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20181216/2d1aeadf/attachment-0005.patch>

More information about the Pkg-lxc-devel mailing list