[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

Pierre-Elliott Bécue peb at debian.org
Sat Feb 9 23:20:38 GMT 2019 

Le dimanche 27 janvier 2019 à 19:47:59+0100, intrigeri a écrit :
> Hi,
> 
> Pierre-Elliott Bécue:
> > We have to decide what solution I will implement.
> 
> Right, thanks for following up.
> 
> > I'm open to suggestions, although I'm considering the "disable
> > apparmor profiles for lxc" solution for now.
> 
> I think that disabling AppArmor by default for new LXC containers for
> Buster would be an OK-ish fallback option, if nothing else can
> realistically be made to work in time for the freeze; that would be
> sad, but it would not be a regression vs. Stretch. I assume we are on
> the same page regarding this: by all means, let's not ship a known
> broken LXC + AppArmor default configuration in Buster :)
> 
> Apart of this fallback, I can propose two options:
> 
> A) Add a blanket "mount," rule to the base AppArmor policy used by all
>    profiles used for individual containers.
> 
>    Pros: I guess that it's the cheapest possible way to have *some*
>    working AppArmor policy enabled by default.
> 
>    Cons:
> 
>      - This diverges from upstream quite a bit, and more importantly,
>        in a non-obvious way, so users coming from other distros may be
>        assuming a stricter default policy.
> 
>      - It's non-trivial for users to opt in for a stricter
>        AppArmor policy.
> 
> B) Apply the patches I've backported and proposed,
>    and make these settings the default:
> 
>      lxc.apparmor.profile = generated
>      lxc.apparmor.allow_nesting = 1
> 
>    … which effectively adds the same blanket "mount," rule
>    by default.
> 
>    Pros:
> 
>      - The user has more flexibility wrt. how strictly they want this
>        or that container to be confined by AppArmor.
> 
>      - Nicer UX: most users of LXC in Debian will be exposed to LXC
>        being confined with AppArmor for the first time in Buster.
>        It's nicer to give them means to configure it that are here to
>        stay, i.e. that are the future of the LXC/LXD ecosystem,
>        compared letting them learn the LXC 3.0.x way only to have to
>        learn again once they upgrade to a newer LXC or to Bullseye.
> 
>      - Easier to document: it's easier to explain what the default
>        value of these settings is on Debian, than to explain "we added
>        a blanket 'mount' rule" to users who are not familiar
>        with AppArmor.
> 
>    Cons:
> 
>      - Bigger delta vs. upstream 3.0.x branch. I realize this has
>        a maintenance cost and I guess that's why the maintainers have
>        not applied the proposed patches yet.
> 
>      - This new code has been tested very minimally on LXC 3.0.x.
>        It works well enough to make the systemd autopkgtests pass, it
>        comes from LXD, it's has been in upstream's 3.1 branch for
>        6 months, but still: there's a certain amount of
>        uncertainty here.
> 
> Either way, we don't enable mount mediation at all by default, because
> as Wolfgang wrote, "the policy changes won't be enough for long".
> So the resulting AppArmor policy is quite weak, but as long as users'
> expectations are set adequately, it's definitely not worse than what
> we have in Stretch nor than the fallback option.
> 
> Personally, I'm leaning towards option (B), which is why I bothered
> backporting the patches mid-December, after upstream suggested this
> was the way to go. But time has flown since then, and I would
> understand if the maintainers don't feel comfortable with this option
> so close to the freeze. I can live with option (A) too, and worst
> case, well, with the fallback option if that's how it is.

Hey,

I feel comfortable with B, but as far as I understood, there was some
code needing to be backported not in your patches.

Do you think we could take care of it or should I just include your
patches as it?

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20190210/ab855db0/attachment.sig>

More information about the Pkg-lxc-devel mailing list