--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: lxc-start does not switch into AppArmor profiles for containers
- From: Pat Roberts <royalsheeplauncher@zoho.com>
- Date: Sat, 13 Jun 2015 18:18:14 -0400
- Message-id: <20150613221814.2845.27612.reportbug@ace>
Package: lxc
Version: 1:1.0.6-6
Severity: important
Dear Maintainer,
lxc-start does not seem to switch lxc containers to the default profile.
aa-status reports lxc-start keeping the 'lxc-start' profile after the container
has launched.
I installed packages lxc, apparmor, apparmor-utils, apparmor-profiles* on jessie, fully patched.
AppArmor works fine for libvirt (qemu/kvm machine profiles) and all others.
I created:
lxc-create -n myvm -t debian -- -r jessie
executed:
lxc-start -n myvm
However, when I run aa-status, the output is:
apparmor module is loaded.
68 profiles are loaded.
31 profiles are in enforce mode.
[...]
/usr/bin/lxc-start
[...]
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
37 profiles are in complain mode.
[...]
18 processes have profiles defined.
14 processes are in enforce mode.
/usr/bin/lxc-start (2596)
/usr/bin/lxc-start (2598)
/usr/bin/lxc-start (2620)
/usr/bin/lxc-start (2687)
/usr/bin/lxc-start (2693)
/usr/bin/lxc-start (2694)
/usr/bin/lxc-start (2695)
/usr/bin/lxc-start (2696)
/usr/bin/lxc-start (2697)
/usr/bin/lxc-start (3572)
/usr/bin/lxc-start (3573)
/usr/sbin/cups-browsed (1214)
/usr/sbin/cupsd (1210)
/usr/sbin/libvirtd (1166)
4 processes are in complain mode.
[...]
0 processes are unconfined but have a profile defined.
It shows lxc-container-default as not loaded.
Setting lxc.aa_profile = unconfined|lxc-container-default|lxc-default
in /var/lib/lxc/myvm/config all produce the same result.
I compared this to a Ubuntu installation with roughly the same steps.
Its output is:
21 processes are in enforce mode.
/sbin/dhclient (897)
/usr/bin/lxc-start (2348)
/usr/sbin/cups-browsed (583)
/usr/sbin/cupsd (546)
lxc-container-default (2356)
lxc-container-default (2547)
lxc-container-default (2569)
lxc-container-default (2665)
lxc-container-default (2679)
lxc-container-default (2680)
lxc-container-default (2686)
lxc-container-default (2728)
lxc-container-default (2733)
lxc-container-default (2752)
lxc-container-default (2754)
lxc-container-default (2755)
lxc-container-default (2764)
lxc-container-default (2784)
lxc-container-default (2795)
lxc-container-default (2796)
lxc-container-default (2799)
2 processes are in complain mode.
That is what I would expect.
So going by aa-status it appears LXC isn't switching to the container profile in Jessie. Unless I'm missing a package this would be a security issue.
Couldn't find a specific in the logs but it's not my forte.
Thank you
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lxc depends on:
ii init-system-helpers 1.22
ii libapparmor1 2.9.0-3
ii libc6 2.19-18
ii libcap2 1:2.24-8
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-2
ii multiarch-support 2.19-18
ii python3 3.4.2-2
Versions of packages lxc recommends:
ii debootstrap 1.0.67
ii openssl 1.0.1k-3+deb8u1
ii rsync 3.1.1-3
Versions of packages lxc suggests:
pn lua5.2 <none>
-- no debconf information
--- End Message ---