[Touch-packages] [Bug 2060535] Re: apparmor's is_container_with_internal_policy() does not recognize incus

[Jamie Strandboge]

This is already available in noble. An SRU for jammy and focal (and
ideally bionic) would be nice.

** Changed in: apparmor (Ubuntu Bionic)
       Status: New => Triaged

** Changed in: apparmor (Ubuntu Focal)
       Status: New => Triaged

** Changed in: apparmor (Ubuntu Jammy)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535

Title:
  apparmor's is_container_with_internal_policy() does not recognize
  incus

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Bionic:
  Triaged
Status in apparmor source package in Focal:
  Triaged
Status in apparmor source package in Jammy:
  Triaged
Status in apparmor source package in Noble:
  Fix Released

Bug description:
  apparmor is not loading for Ubuntu containers under incus. This is due
  to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
  `/lib/apparmor/functions`):

  is_container_with_internal_policy() {
      # this function is sometimes called independently of
      # is_apparmor_loaded(), so also define this here.
      local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
      local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
      local ns_stacked
      local ns_name

      if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
          return 1
      fi

      read -r ns_stacked < "$ns_stacked_path"
      if [ "$ns_stacked" != "yes" ]; then
          return 1
      fi

      # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
      # "lxc-", respectively. Return non-zero for all other namespace
      # identifiers.
      read -r ns_name < "$ns_name_path"
      if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
         [ "${ns_name#lxc-*}" = "$ns_name" ]; then
          return 1
      fi

      return 0
  }

  This can be fixed by adjusting it to have:

      # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
      # "lxc-", and "incus-" respectively. Return non-zero for all other 
namespace
      # identifiers.
      read -r ns_name < "$ns_name_path"
      if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
         [ "${ns_name#lxc-*}" = "$ns_name" ] && \
         [ "${ns_name#incus-*}" = "$ns_name" ] ; then
          return 1
      fi

  
  References:
  * https://github.com/lxc/incus/issues/740

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp