[Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

John, what do you think about Seth's question in https://bugs.launchpad.net/apparmor/+bug/1667751/comments/5? ** Also affects: apparmor Importance: Undecided Status: New ** Changed in: apparmor Status: New => Incomplete -- You received this bug notification because you are a

Re: [Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

Thanks Seth. A general solution covering most cases would be great as tweaking existing profiles would involve many SRUs and inevitably, new profiles not working inside containers would show up. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which

[Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

That's an excellent question. In general we can't solve all cases but perhaps we can find a middle-ground. In the past, the 'r' flag on the executable determined if the process was dumpable. I expect that to still hold, but there may be other reasons why 'r' is required these days. I don't know

Re: [Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

On 2017-02-24 04:04 PM, Seth Arnold wrote: > I'm surprised that the denials you're seeing now > weren't generated earlier, due to this change. Well, I just got the word that Apparmor was now working in containers after waiting for years so I happily jumped in. I guess the question is: is there a

[Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

Thanks Simon, https://github.com/torvalds/linux/commit/9f834ec18defc369d73ccf9e87a2790bfa05bf46 changed how ELF executables are loaded by the kernel and required many changes to profiles. I'm surprised that the denials you're seeing now weren't generated earlier, due to this change. Thanks --

[Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

** Description changed: + It seems that binaries confined by Apparmor attempt to read their own + executable when running in a namespace/container. This breaks many + profiles that are working perfectly well outside of namespaces. + + + + Original description: + I'm not sure if it's a bug

[Touch-packages] [Bug 1667751] Re: Confined binaries running in namespaces unable to read their executable

It doesn't seem to only affect rsyslog as I have for example a shell script contained by an Apparmor profile and inside the container it doesn't work as it wants to read /bin/dash: audit: type=1400 audit(1487935787.212:153): apparmor="DENIED" operation="file_mprotect" namespace="root//lxd-smb_"