slight revision /sys/kernel/security/apparmor/features/domain/ns_stacked contains yes/no if stacked across policy namespace
/sys/kernel/security/apparmor/features/domain/ns_name contains the name of the namespace as long as lxc sets up a detectable namespace ns_name can be used to detect if it should load or not, as stacking, and stacking across namespaces will start to be used in other ways. So testing for just stack or ns_stack might not be enough -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1628285 Title: apparmor should be allowed to start in containers Status in apparmor package in Ubuntu: New Bug description: Now that we have support for apparmor namespacing and stacking, unprivileged containers can and should be allowed to load apparmor profiles. The following changes are needed at least: - Change the systemd unit to remove the "!container" condition - Change the apparmor init script, replacing the current simple container check for something along the lines of: - If /proc/self/attr/current says "unconfined" - And /sys/kernel/security/apparmor/features/domain/stack contains "yes" - And /sys/kernel/security/apparmor/features/domain/version is 1.2 or higher - Then continue execing the script, otherwise exit 0 John suggested he could add a file which would provide a more reliable way to do this check ^ In either case, we need this change so that containers can behave more like normal systems as far as apparmor is concerned. That change should also be SRUed back to Xenial at the same time the kernel support for stacking is pushed. This bug is effectively a blocker for snapd inside LXD as without this, snap-confine and snapd itself will not be confined after container restart. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1628285/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
