My current situation is matching Johns comment, since the Host is Xenial
in my case all "would" run just fine - and it does seem to work, except
of the fact that while loading fine due to the postinst loading them on
reboot they are skipped.
On a not representative scan on my system in /var/lib/dpkg/info I found my
assumption confirmed that many packages do call apparmor_parser to load
profiles in postinst.
I'm sure there are more, but for me that would be: "cups-browsed cups-daemon
digikam firefox haveged ippusbxd isc-dhcp-client libvirt-daemon-system
libvirt-daemon-system libvirt-daemon-system lxc-common ntp rsyslog snap-confine
squid tcpdump telepathy-mission-control-5"
I checked if libvirt might be special here, but it is not.
They all seem to use the same guard which is "aa-status --enabled".
Now in the past "running-in-container" was always true at the same time when
"aa-status --enabled" was false - so the behavior of all the postinsts matched
what the service did on reboot.
But that is no more true, on a recent kernel/lxd "aa-status --enabled" is true
in the container.
I like that LXD tries to stay neutral to the image, but I wonder if in apparmor
init the old check of "running-in-container" could/should be replaced with a
check more similar to "aa-status --enabled".
Eventually the code for newer releases is just that as it lets LXD with stacked
namespaces through via the latter check in:
if systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
So could there be a "is_container_with_internal_policy" version for
trusty that fixes all packages at once?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1686612
Title:
Stacked profiles fail to reload in Trusty LXD containters
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1686612/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
