[apparmor] KVM + AppArmor

John Johansen john.johansen at canonical.com
Mon Feb 27 21:17:34 UTC 2012

On 02/27/2012 12:20 AM, Jeroen Ooms wrote:
> Hi John,
> Thank you for your elaborate answer. An additional problem I would like to avoid which am experiencing on slicehost is that the version of the kernel is incompatible with the version of apparmor on the guest. I am running Ubuntu 11.10 on the guest, but the kernel that I am getting is old and I can't update is :-/ Looks like they're using Xen:
Okay, this is unfortunately a Xen issue where you don't get to control the guest kernel.  Even under Xen paravirt ops the host kernel doesn't matter, its the guest kernel that should.  With that said, Xen traditionally had a split where the guest kernel image was specified to the host at boot separate from the OS image, you would not get your normal kernel, nor could you upgrade it from within the guest.

We had this problem on Amazon's EC2 before they rolled out support for pv-grub, which allows cloud images to behave pretty much like desktop/server images including updating the kernel and rebooting.  So you should be able to avoid this problem if you can get them to provide an updated guest kernel or if they will allow you to boot via pv-grub.  This may or not be problematic as some providers do not like to any old guest kernel to run.

you can check what the current kernels version string is using

uname -a

you can check if apparmor is enabled/even present in the kernel by looking at


if that file is not present the kernel was not built with apparmor support

if that file is present but does not report


then apparmor was not enabled at boot.  You can find what features are supported
by the version of apparmor in the kernel by looking in


Note: the last two checks assume that securityfs is mounted on /sys/kernel/security
you can verify this by checking mount
  > mount
  /dev/sda1 on / type ext4 (rw,errors=remount-ro)
  proc on /proc type proc (rw,noexec,nosuid,nodev)
  sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
  none on /sys/fs/fuse/connections type fusectl (rw)
  none on /sys/kernel/debug type debugfs (rw)
  none on /sys/kernel/security type securityfs (rw)     <===== this line

if this is not the case, you can manually mount it doing
  mount -t securityfs none /sys/kernel/security

though if apparmor is present its init scripts should be mounting it

> jeroen at opencpu-beta2:~$ uname -a
> Linux opencpu-beta2 #8 SMP Mon Sep 20 15:54:33 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
> jeroen at opencpu-beta2:~$ dmesg | grep -i xen
> [    0.000000] Command line: root=/dev/sda1 ro xencons=tty console=tty1 clocksource=acpi_pm
> [    0.000000]  Xen: 0000000000000000 - 00000000000a0000 (usable)
> [    0.000000]  Xen: 00000000000a0000 - 0000000000100000 (reserved)
> [    0.000000]  Xen: 0000000000100000 - 0000000020000000 (usable)
> [    0.000000] Booting paravirtualized kernel on Xen
> [    0.000000] Xen version: 3.3.0 (preserve-AD)
> [    0.000000] Xen: using vcpu_info placement
> [    0.000000] Kernel command line: root=/dev/sda1 ro xencons=tty console=tty1 clocksource=acpi_pm
> [    0.000000]   #1 [00025e2000 - 00025f9000]  XEN PAGETABLES
> [    0.000000]   #4 [00024df000 - 00025e2000]  XEN START INFO
> [    0.000000] Xen: using vcpuop timer interface
> [    0.000000] installing Xen timer for CPU 0
> [    0.030297] installing Xen timer for CPU 1
> [    0.054663] installing Xen timer for CPU 2
> [    0.054883] installing Xen timer for CPU 3
> [    0.060178] xen_balloon: Initialising balloon driver.
> [    0.070325] Switching to clocksource xen
> [    0.151720] Initialising Xen virtual ethernet driver.
> [    0.280072] XENBUS: Device with no driver: device/console/0

More information about the AppArmor mailing list