[apparmor] Mount restrictions with upstream kernel (lxc)
Devon B.
devon.b at virtualcomplete.com
Fri Feb 20 16:29:10 UTC 2015
I'm trying to run AppArmor (2.9.1) against a custom upstream kernel
(3.18.7) but I'm unable to get mount restrictions working.
According to:
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Mount_rules_.28AppArmor_2.8_and_later.29,
mount rules should work since 2.8 but I don't see any reference to
kernel releases or options and the mount rules I have set in my profile
don't appear to be working.
When starting LXC containers, I receive the error:
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 169 If you really
want to start this container, set
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 170
lxc.aa_allow_incomplete = 1
lxc-start: lsm/apparmor.c: apparmor_process_label_set: 171 in your
container configuration file
Which I traced back to showing that the upstream kernel doesn't support
mount restrictions.
Am I missing an option when configuring the kernel or are there any
patches available for mount restrictions?
Thanks in advance,
Devon
More information about the AppArmor
mailing list