Upon further check I can confirm the message written by intrigeri in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750106#117
With:
lxc-start -n myvm -l INFO -o ~/lxc_log.log
my container logs:
lxc-start 1434864946.838 INFO lxc_lsm - LSM security driver nop
It must be because of this code in apparmor.c in lxc source (1.0.6-6):
#define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
/* aa_getcon is not working right now. Use our hand-rolled version below */
static int apparmor_enabled(void)
{
struct stat statbuf;
FILE *fin;
char e;
int ret;
ret = stat(AA_MOUNT_RESTR, &statbuf);
if (ret != 0)
return 0;
fin = fopen(AA_ENABLED_FILE, "r");
if (!fin)
return 0;
ret = fscanf(fin, "%c", &e);
fclose(fin);
if (ret == 1 && e == 'Y')
return 1;
return 0;
}
when this returns false, it uses the nop lsm driver instead of apparmor.
/sys/kernel/security/apparmor/features/mount/mask is not on my system, ie no
mount rules in this apparmor version,
so this must return false. On the ubuntu system, the file is present so it
works.
so jessie apparmor still misses mount rules, even though it says it's package
2.9.0-3.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
