This bug was fixed in the package apparmor - 2.10.95-4ubuntu5
---------------
apparmor (2.10.95-4ubuntu5) yakkety; urgency=medium
* debian/lib/apparmor/functions, debian/apparmor.init,
debian/apparmor.service, debian/apparmor.upstart,
debian/lib/apparmor/profile-load: Adjust the checks that previously kept
AppArmor policy from being loaded while booting a container. Now we
attempt to load policy if we're in a LXD or LXC managed container that is
using profile stacking inside of a policy namespace. (LP: #1628285)
* Fix regression tests so that the kernel SRU process is not interrupted by
failing tests
- debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix the
stackonexec.sh and stackprofile.sh tests (LP: #1628295)
- debian/patches/r3509-tests-fix-exec_stack-errors.patch: Fix the
exec_stack.sh test (LP: #1628745)
-- Tyler Hicks <[email protected]> Thu, 29 Sep 2016 00:38:47 -0500
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1628285
Title:
apparmor should be allowed to start in containers
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
Now that we have support for apparmor namespacing and stacking,
unprivileged containers can and should be allowed to load apparmor
profiles.
The following changes are needed at least:
- Change the systemd unit to remove the "!container" condition
- Change the apparmor init script, replacing the current simple container
check for something along the lines of:
- If /proc/self/attr/current says "unconfined"
- And /sys/kernel/security/apparmor/features/domain/stack contains "yes"
- And /sys/kernel/security/apparmor/features/domain/version is 1.2 or
higher
- Then continue execing the script, otherwise exit 0
John suggested he could add a file which would provide a more reliable
way to do this check ^
In either case, we need this change so that containers can behave more like
normal systems as far as apparmor is concerned. That change should also be
SRUed back to Xenial at the same time the kernel support for stacking is pushed.
This bug is effectively a blocker for snapd inside LXD as without
this, snap-confine and snapd itself will not be confined after
container restart.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1628285/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
