Your message dated Fri, 30 Apr 2021 15:36:16 +0200
with message-id <E1lcTJG-001M5j-VJ@hullmann.westfalen.local>
and subject line Closing this bug
has caused the Debian Bug report #788656,
regarding missing patch for apparmor with lxc
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
788656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lxc
Version: 1:1.0.6-6
Severity: important
Dear Maintainer,
lxc-start does not seem to switch lxc containers to the default profile.
aa-status reports lxc-start keeping the 'lxc-start' profile after the container
has launched.
I installed packages lxc, apparmor, apparmor-utils, apparmor-profiles* on
jessie, fully patched.
AppArmor works fine for libvirt (qemu/kvm machine profiles) and all others.
I created:
lxc-create -n myvm -t debian -- -r jessie
executed:
lxc-start -n myvm
However, when I run aa-status, the output is:
apparmor module is loaded.
68 profiles are loaded.
31 profiles are in enforce mode.
[...]
/usr/bin/lxc-start
[...]
lxc-container-default
lxc-container-default-with-mounting
lxc-container-default-with-nesting
37 profiles are in complain mode.
[...]
18 processes have profiles defined.
14 processes are in enforce mode.
/usr/bin/lxc-start (2596)
/usr/bin/lxc-start (2598)
/usr/bin/lxc-start (2620)
/usr/bin/lxc-start (2687)
/usr/bin/lxc-start (2693)
/usr/bin/lxc-start (2694)
/usr/bin/lxc-start (2695)
/usr/bin/lxc-start (2696)
/usr/bin/lxc-start (2697)
/usr/bin/lxc-start (3572)
/usr/bin/lxc-start (3573)
/usr/sbin/cups-browsed (1214)
/usr/sbin/cupsd (1210)
/usr/sbin/libvirtd (1166)
4 processes are in complain mode.
[...]
0 processes are unconfined but have a profile defined.
It shows lxc-container-default as not loaded.
Setting lxc.aa_profile = unconfined|lxc-container-default|lxc-default
in /var/lib/lxc/myvm/config all produce the same result.
I compared this to a Ubuntu installation with roughly the same steps.
Its output is:
21 processes are in enforce mode.
/sbin/dhclient (897)
/usr/bin/lxc-start (2348)
/usr/sbin/cups-browsed (583)
/usr/sbin/cupsd (546)
lxc-container-default (2356)
lxc-container-default (2547)
lxc-container-default (2569)
lxc-container-default (2665)
lxc-container-default (2679)
lxc-container-default (2680)
lxc-container-default (2686)
lxc-container-default (2728)
lxc-container-default (2733)
lxc-container-default (2752)
lxc-container-default (2754)
lxc-container-default (2755)
lxc-container-default (2764)
lxc-container-default (2784)
lxc-container-default (2795)
lxc-container-default (2796)
lxc-container-default (2799)
2 processes are in complain mode.
That is what I would expect.
So going by aa-status it appears LXC isn't switching to the container profile
in Jessie. Unless I'm missing a package this would be a security issue.
Couldn't find a specific in the logs but it's not my forte.
Thank you
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lxc depends on:
ii init-system-helpers 1.22
ii libapparmor1 2.9.0-3
ii libc6 2.19-18
ii libcap2 1:2.24-8
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-2
ii multiarch-support 2.19-18
ii python3 3.4.2-2
Versions of packages lxc recommends:
ii debootstrap 1.0.67
ii openssl 1.0.1k-3+deb8u1
ii rsync 3.1.1-3
Versions of packages lxc suggests:
pn lua5.2 <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
This bug was filed for a very old kernel. If you can reproduce it with
- the current version in unstable/testing
- the latest kernel from buster.backports
please reopen the bug, see https://www.debian.org/Bugs/server-control
--- End Message ---
