[apparmor] Regarding apparmor in container
John Johansen
john.johansen at canonical.com
Tue Oct 20 21:36:09 UTC 2020
On 10/20/20 1:58 PM, swarna latha wrote:
> Does it mean, we will not be able to get apparmor logs for applications running in container ?
>
Not necessarily, it will depend on how the container is setup.
> And container has its own dmesg buffer ?
>
no, its just a matter of whether the container has access to the dmesg buffer
> Are there any ways to use apparmor to generate profile for applications running in containers ?
>
yes. If the container has access to the kernel messages you can generate the profile in the container.
If it doesn't the host still has access and you can generate a profile on the host and then copy it
into the container, or you can copy the log into the container and use aa-logprof to generate a
profile from the log file.
> Thanks,
> Swarna
>
> On Tue, Oct 20, 2020 at 3:55 PM Simon Deziel <simon at sdeziel.info <mailto:simon at sdeziel.info>> wrote:
>
> On 2020-10-20 3:46 p.m., swarna latha wrote:
> > Thanks john for the quick reply..
> >
> > My kernel version is 4.1.51-1.19
> >
> > Tried below logging options, but didnt help. Not able to get logs, what is
> > blocking apparmor to play video.
> > echo -n "noquiet" /sys/module/apparmor/parameters/audit
> > echo 0> /sys/module/apparmor/parameters/debug
>
> So far, what I've seen with containers is that dmesg/kernel logs are
> only visible from the host's context, not the containers themselves.
>
> HTH,
> Simon
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com <mailto:AppArmor at lists.ubuntu.com>
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>
More information about the AppArmor
mailing list