It actually seems like a bug in aa-status. Note that /sys/kernel/security/apparmor/profiles is not readable by non- root users on the host. Yet non-root users on the host do not see a python traceback when they run 'aa-status --enable'. This also suggests that a container should not provide read access to the file.
(Note that the traceback doesn't happen as root in an unprivileged container - there it quietly exits 4 just like for any unprivileged user) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1270784 Title: aa-status --enabled failed in LXC container with Permission denied: '/sys/kernel/security/apparmor/profiles' Status in “lxc” package in Ubuntu: Incomplete Bug description: In an up to date Trusty container install apparmor and run: root@trusty-amd64:~# aa-status --enabled Traceback (most recent call last): File "/usr/sbin/aa-status", line 194, in <module> commands[cmd]() File "/usr/sbin/aa-status", line 17, in cmd_enabled if get_profiles() == {}: File "/usr/sbin/aa-status", line 92, in get_profiles for p in open(apparmor_profiles).readlines(): PermissionError: [Errno 13] Permission denied: '/sys/kernel/security/apparmor/profiles' ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor 2.8.0-0ubuntu38 ProcVersionSignature: Ubuntu 3.13.0-4.19-generic 3.13.0-rc8 Uname: Linux 3.13.0-4-generic x86_64 ApportVersion: 2.13.1-0ubuntu1 Architecture: amd64 CurrentDesktop: Unity Date: Mon Jan 20 11:26:01 2014 KernLog: Jan 20 08:03:53 sark kernel: [163212.225370] type=1400 audit(1390201433.425:86): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=16135 comm="apparmor_parser" Jan 20 08:03:53 sark kernel: [163212.225382] type=1400 audit(1390201433.425:87): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=16135 comm="apparmor_parser" Jan 20 08:03:53 sark kernel: [163212.225931] type=1400 audit(1390201433.425:88): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=16135 comm="apparmor_parser" ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-4-generic root=UUID=cf89ba34-108b-404d-9804-32d54a1df2ea ro quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to trusty on 2012-01-31 (719 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1270784/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
