On 2014/9/16 6:17, Serge Hallyn wrote: > Quoting Weng Meiling ([email protected]): >> Hi guys, >> >> I want to use apparmor to do some limits on container, but I can't success. >> >> my environment: >> >> template: suse template >> >> lxc: 1.0.0.beta1 //build with apparmor enable >> >> apparmor: >> # rpm -qa | grep apparmor >> apparmor-dbus-2.3-3.22 >> libapparmor1-2.5.1.r1445-55.57.47 >> yast2-apparmor-2.17.12-0.5.73 >> perl-apparmor-2.5.1.r1445-55.57.47 >> apparmor-utils-2.5.1.r1445-55.57.47 >> apparmor-profile-editor-0.9.1-268.35 >> libapparmor1-32bit-2.5.1.r1445-55.57.47 >> apparmor-profiles-2.5.1.r1445-52.55.1 >> apparmor-admin_en-10.3-8.24.1 >> apparmor-docs-2.5.1.r1445-55.57.47 >> apparmor-parser-2.5.1.r1445-55.57.47 >> apparmorapplet-gnome-0.9-81.16.57 >> libapparmor-devel-2.5.1.r1445-55.57.47 >> >> kernel: >> upstream 3.4 kernel and 3.16 kernel >> >> # cat config | grep APPARMOR >> CONFIG_SECURITY_APPARMOR=y >> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 >> CONFIG_SECURITY_APPARMOR_COMPAT_24=y >> CONFIG_DEFAULT_SECURITY_APPARMOR=y >> >> # cat /sys/module/apparmor/parameters/enabled >> Y >> >> but when I specify the apparmor profile with lxc.aa_profile, the container >> starts, but the profile is >> not effective, with debug message I found the lsm drv always is nop. I found >> the comment "The nop driver >> is used when LXC has compiled in support for AppArmor or SELinux but neither >> is enabled in the run time >> environment." Do not /sys/module/apparmor/parameters/enabled show apparmor >> enabled in the run time environment? >> >> and it's strange the lsm drv initialization in lsm_init() always return in >> the first check: >> >> __attribute__((constructor)) >> void lsm_init(void) >> { >> if (drv) { >> INFO("LSM security driver %s", drv->name); >> return; >> } >> >> #if HAVE_APPARMOR >> drv = lsm_apparmor_drv_init(); >> #endif >> #if HAVE_SELINUX >> if (!drv) >> drv = lsm_selinux_drv_init(); >> #endif >> >> if (!drv) >> drv = lsm_nop_drv_init(); >> INFO("Initialized LSM security driver %s", drv->name); >> } >> >> but I didn't see any other places to initialize the drv. Who do the >> initialization? >> >> Then I change kernel to linux-apparmor v3.4-aa2.8 which with ubuntu apparmor >> patches, >> although the lxc.aa_profile effect, the container started failed: > > Sorry I'd missed this in your email earlier. So that's why the mount features > are enabled - good. > >> # lxc-start -n wml -f config -o wml -l DEBUG >> lxc-start: No such file or directory - failed to change exec apparmor >> profile to lxc-default > > Are the apparmor profiles for lxc installed? In particular you need: > > /etc/apparmor.d/usr.bin.lxc-start > /etc/apparmor.d/abstractions/lxc/container-base > /etc/apparmor.d/abstractions/lxc/start-container > /etc/apparmor.d/lxc/lxc-default > > Ah, and then something needs to load those profiles - which probably is what > isn't being done for you. The ubuntu packages do that with the upstart > job, which does: > > /lib/init/apparmor-profile-load usr.bin.lxc-start > /lib/init/apparmor-profile-load lxc-containers > > Does that by chance fix it for you? > I run the container in SUSE system, I had tied to use the apparmor profiles for lxc from ubuntu, maybe missing the start-container file, I'll try it again. Thanks for your help! :)
>> lxc-start: invalid sequence number 1. expected 4 >> lxc-start: failed to spawn 'wml' >> >> Then I found the latest lxc code remove the aa_change_onexec(), so I change >> the code, but it's >> still error: >> >> # lxc-start -n wml -f config -o wml -l DEBUG >> lxc-start: No such file or directory - failed to change apparmor profile to >> lxc-default >> lxc-start: invalid sequence number 1. expected 4 >> lxc-start: failed to spawn 'wml' >> >> Did I do anything wrong? Do I must use ubuntu if I want use lxc with >> apparmor? >> Any suggestion is appreciative. Thanks! >> >> >> >> >> > > . > _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
