[Touch-packages] [Bug 2060535] Re: apparmor's is_container_with_internal_policy() does not recognize incus
Note that after this fix, snapd in containers needs to be at >= 2.62 for
apparmor policy to load (snapd's snapd-apparmor needs the corresponding
fix as this bug). This is currently in the candidate channel.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535
Title:
apparmor's is_container_with_internal_policy() does not recognize
incus
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
Triaged
Status in apparmor source package in Focal:
Triaged
Status in apparmor source package in Jammy:
Triaged
Status in apparmor source package in Noble:
Fix Released
Bug description:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
local ns_stacked
local ns_name
if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
return 1
fi
read -r ns_stacked < "$ns_stacked_path"
if [ "$ns_stacked" != "yes" ]; then
return 1
fi
# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
# "lxc-", respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
return 0
}
This can be fixed by adjusting it to have:
# LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
# "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ] && \
[ "${ns_name#incus-*}" = "$ns_name" ] ; then
return 1
fi
References:
* https://github.com/lxc/incus/issues/740
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060535] Re: apparmor's is_container_with_internal_policy() does not recognize incus
This is already available in noble. An SRU for jammy and focal (and
ideally bionic) would be nice.
** Changed in: apparmor (Ubuntu Bionic)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Focal)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Jammy)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535
Title:
apparmor's is_container_with_internal_policy() does not recognize
incus
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
Triaged
Status in apparmor source package in Focal:
Triaged
Status in apparmor source package in Jammy:
Triaged
Status in apparmor source package in Noble:
Fix Released
Bug description:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
local ns_stacked
local ns_name
if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
return 1
fi
read -r ns_stacked < "$ns_stacked_path"
if [ "$ns_stacked" != "yes" ]; then
return 1
fi
# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
# "lxc-", respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
return 0
}
This can be fixed by adjusting it to have:
# LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
# "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ] && \
[ "${ns_name#incus-*}" = "$ns_name" ] ; then
return 1
fi
References:
* https://github.com/lxc/incus/issues/740
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2060535] Re: apparmor's is_container_with_internal_policy() does not recognize incus
https://gitlab.com/apparmor/apparmor/-/commit/659a187687fc8802045c113da0d12bc4b836d591
was committed upstream for this. It would be nice if this was SRU'd.
** Changed in: apparmor (Ubuntu Noble)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535
Title:
apparmor's is_container_with_internal_policy() does not recognize
incus
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Bionic:
Triaged
Status in apparmor source package in Focal:
Triaged
Status in apparmor source package in Jammy:
Triaged
Status in apparmor source package in Noble:
Fix Released
Bug description:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
local ns_stacked
local ns_name
if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
return 1
fi
read -r ns_stacked < "$ns_stacked_path"
if [ "$ns_stacked" != "yes" ]; then
return 1
fi
# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
# "lxc-", respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
return 0
}
This can be fixed by adjusting it to have:
# LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
# "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ] && \
[ "${ns_name#incus-*}" = "$ns_name" ] ; then
return 1
fi
References:
* https://github.com/lxc/incus/issues/740
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
