Quoting Weng Meiling ([email protected]): > Hi guys, > > I want to use apparmor to do some limits on container, but I can't success. > > my environment: > > template: suse template > > lxc: 1.0.0.beta1 //build with apparmor enable > > apparmor: > # rpm -qa | grep apparmor > apparmor-dbus-2.3-3.22 > libapparmor1-2.5.1.r1445-55.57.47 > yast2-apparmor-2.17.12-0.5.73 > perl-apparmor-2.5.1.r1445-55.57.47 > apparmor-utils-2.5.1.r1445-55.57.47 > apparmor-profile-editor-0.9.1-268.35 > libapparmor1-32bit-2.5.1.r1445-55.57.47 > apparmor-profiles-2.5.1.r1445-52.55.1 > apparmor-admin_en-10.3-8.24.1 > apparmor-docs-2.5.1.r1445-55.57.47 > apparmor-parser-2.5.1.r1445-55.57.47 > apparmorapplet-gnome-0.9-81.16.57 > libapparmor-devel-2.5.1.r1445-55.57.47 > > kernel: > upstream 3.4 kernel and 3.16 kernel > > # cat config | grep APPARMOR > CONFIG_SECURITY_APPARMOR=y > CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 > CONFIG_SECURITY_APPARMOR_COMPAT_24=y > CONFIG_DEFAULT_SECURITY_APPARMOR=y > > # cat /sys/module/apparmor/parameters/enabled > Y
What does /sys/kernel/security/apparmor/features/mount/mask show? That depends on some new apparmor features still making their way upstream. The current behavior when these are missing is not right, but hasn't yet been fixed. We should either fail the container startup, clearly warning the user that the full apparmor profile wouldn't have been enabled, or we should warn the user (which will likely get lost) and go ahead and load the apparmor profile. Well, or better, we could scan the apparmor profile for features which would require the mount feature. I'm not quite sure whether that's possible though. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
