Quoting Weng Meiling ([email protected]): > Hi guys, > > I want to use apparmor to do some limits on container, but I can't success. > > my environment: > > template: suse template > > lxc: 1.0.0.beta1 //build with apparmor enable > > apparmor: > # rpm -qa | grep apparmor > apparmor-dbus-2.3-3.22 > libapparmor1-2.5.1.r1445-55.57.47 > yast2-apparmor-2.17.12-0.5.73 > perl-apparmor-2.5.1.r1445-55.57.47 > apparmor-utils-2.5.1.r1445-55.57.47 > apparmor-profile-editor-0.9.1-268.35 > libapparmor1-32bit-2.5.1.r1445-55.57.47 > apparmor-profiles-2.5.1.r1445-52.55.1 > apparmor-admin_en-10.3-8.24.1 > apparmor-docs-2.5.1.r1445-55.57.47 > apparmor-parser-2.5.1.r1445-55.57.47 > apparmorapplet-gnome-0.9-81.16.57 > libapparmor-devel-2.5.1.r1445-55.57.47 > > kernel: > upstream 3.4 kernel and 3.16 kernel > > # cat config | grep APPARMOR > CONFIG_SECURITY_APPARMOR=y > CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 > CONFIG_SECURITY_APPARMOR_COMPAT_24=y > CONFIG_DEFAULT_SECURITY_APPARMOR=y > > # cat /sys/module/apparmor/parameters/enabled > Y > > but when I specify the apparmor profile with lxc.aa_profile, the container > starts, but the profile is > not effective, with debug message I found the lsm drv always is nop. I found > the comment "The nop driver > is used when LXC has compiled in support for AppArmor or SELinux but neither > is enabled in the run time > environment." Do not /sys/module/apparmor/parameters/enabled show apparmor > enabled in the run time environment? > > and it's strange the lsm drv initialization in lsm_init() always return in > the first check: > > __attribute__((constructor)) > void lsm_init(void) > { > if (drv) { > INFO("LSM security driver %s", drv->name); > return; > } > > #if HAVE_APPARMOR > drv = lsm_apparmor_drv_init(); > #endif > #if HAVE_SELINUX > if (!drv) > drv = lsm_selinux_drv_init(); > #endif > > if (!drv) > drv = lsm_nop_drv_init(); > INFO("Initialized LSM security driver %s", drv->name); > } > > but I didn't see any other places to initialize the drv. Who do the > initialization? > > Then I change kernel to linux-apparmor v3.4-aa2.8 which with ubuntu apparmor > patches, > although the lxc.aa_profile effect, the container started failed:
Sorry I'd missed this in your email earlier. So that's why the mount features are enabled - good. > # lxc-start -n wml -f config -o wml -l DEBUG > lxc-start: No such file or directory - failed to change exec apparmor profile > to lxc-default Are the apparmor profiles for lxc installed? In particular you need: /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/abstractions/lxc/container-base /etc/apparmor.d/abstractions/lxc/start-container /etc/apparmor.d/lxc/lxc-default Ah, and then something needs to load those profiles - which probably is what isn't being done for you. The ubuntu packages do that with the upstart job, which does: /lib/init/apparmor-profile-load usr.bin.lxc-start /lib/init/apparmor-profile-load lxc-containers Does that by chance fix it for you? > lxc-start: invalid sequence number 1. expected 4 > lxc-start: failed to spawn 'wml' > > Then I found the latest lxc code remove the aa_change_onexec(), so I change > the code, but it's > still error: > > # lxc-start -n wml -f config -o wml -l DEBUG > lxc-start: No such file or directory - failed to change apparmor profile to > lxc-default > lxc-start: invalid sequence number 1. expected 4 > lxc-start: failed to spawn 'wml' > > Did I do anything wrong? Do I must use ubuntu if I want use lxc with > apparmor? > Any suggestion is appreciative. Thanks! > > > > > _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
