[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

intrigeri intrigeri at debian.org
Sun Jan 13 10:40:48 GMT 2019

Hi Christian,

Christian Brauner:
> Did you backport the new config keys as well?
> If so we can't carry that version upstream.
> Since this would be a feature release.
> If you only backported the internal profile changes than we can
> carry it upstream and you should send your patch.

I've backported e6ec0a9, e7311a84 and 1800f92. This indeed includes
the copy of lxd's apparmor profile generation and thus the new config
keys. I *think* I've initially tried backporting only the policy
changes but that was not sufficient. But I might have skipped this
step, I can't recall.

Last time I worked on this I did not bother sending backported patches
upstream for 3.0.x, because on the "[apparmor] LXC + AppArmor vs.
upcoming systemd v240" thread, you said it was doable to release the
branch that already has this code as stable soon. But I understand
this is now unlikely so indeed, *if* the profile changes are
sufficient, it would be nice to have 3.0.4 that includes them.

I'm afraid I probably won't have time this month to work on this
again. So ideally, someone else would try if the policy changes are
enough to fix this bug, and then propose the corresponding backported
patch upstream. Or the Debian LXC maintainers "just" (sic) apply my
3 backported patches. Or we disable AppArmor support for LXC in Buster
(not a regression vs. Stretch but pretty sad).


More information about the Pkg-lxc-devel mailing list