Hello, my setup: debian7 lxc-1.0.4 from debian testing vanilla kernel.org kernel 3.14.14
i'm new to lxc and apparmor, so this took me a couple of hours to figure: lxc-start won't assign an apparmor-profile to a container since it's test for apparmor will always fail on my setup: in src/lxc/lsm/apparmor: the apparmor_enabled() tests for AA_MOUNT_RESTR (/sys/kernel/security/apparmor/features/mount/mask) first, which will never exist without that apparmor mount patch in the kernel. commenting out that test gives me apparmor functionality (except for that mount feature of course). Is that intentional or just an ancient relict? I'd prefer to have apparmor profile support without mount restrictions over no apparmor profile support at all. apparmor gives me warnings like: Warning from /etc/apparmor.d/lxc-containers (/etc/apparmor.d/lxc-containers line 8): profile lxc-container-default mount rules not enforced when starting up, which is what I expect and something I can deal with as admin. I think lxc-start should activate the requested profile anyway. Oh, and a little log message wether lxc-start detected apparmor or not and activates it would be _very_ helpfull :) related question: dropping sys_admin cap for the container should render all the mount protections from apparmor unnecessary, right? Regards, Tom _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
