[apparmor] Mount restrictions with upstream kernel (lxc)
John Johansen
john.johansen at canonical.com
Fri Feb 20 23:25:19 UTC 2015
On 02/20/2015 08:29 AM, Devon B. wrote:
> I'm trying to run AppArmor (2.9.1) against a custom upstream kernel
> (3.18.7) but I'm unable to get mount restrictions working.
>
> According to:
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Mount_rules_.28AppArmor_2.8_and_later.29,
> mount rules should work since 2.8 but I don't see any reference to
> kernel releases or options and the mount rules I have set in my profile
> don't appear to be working.
>
Correct, the apparmor userspace since 2.8 support mounts restrictions
but the kernel must also have support enabled.
> When starting LXC containers, I receive the error:
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 169 If you really
> want to start this container, set
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 170
> lxc.aa_allow_incomplete = 1
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 171 in your
> container configuration file
>
> Which I traced back to showing that the upstream kernel doesn't support
> mount restrictions.
>
> Am I missing an option when configuring the kernel or are there any
> patches available for mount restrictions?
>
The patchset to support mount restriction have not been submitted to
upstream yet.
If you would like I can point you at the patchset that is currently
being used to add mount restrictions, however it is very large.
More information about the AppArmor
mailing list