[apparmor] Mount restrictions with upstream kernel (lxc)

Devon B. devon.b at virtualcomplete.com
Sat Feb 28 02:47:58 UTC 2015 

John,

Are you able to point me to the patchset for mount restrictions?

Thank you.

> John Johansen <mailto:john.johansen at canonical.com>
> Friday, February 20, 2015 6:25 PM
> On 02/20/2015 08:29 AM, Devon B. wrote:
>> I'm trying to run AppArmor (2.9.1) against a custom upstream kernel
>> (3.18.7) but I'm unable to get mount restrictions working. 
>>
>> According to:
>> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Mount_rules_.28AppArmor_2.8_and_later.29,
>> mount rules should work since 2.8 but I don't see any reference to
>> kernel releases or options and the mount rules I have set in my profile
>> don't appear to be working.
>>
> Correct, the apparmor userspace since 2.8 support mounts restrictions
> but the kernel must also have support enabled.
>
>> When starting LXC containers, I receive the error:
>> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 169 If you really
>> want to start this container, set
>> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 170
>> lxc.aa_allow_incomplete = 1
>> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 171 in your
>> container configuration file
>>
>> Which I traced back to showing that the upstream kernel doesn't support
>> mount restrictions.
>>
>> Am I missing an option when configuring the kernel or are there any
>> patches available for mount restrictions?
>>
> The patchset to support mount restriction have not been submitted to
> upstream yet.
>
> If you would like I can point you at the patchset that is currently
> being used to add mount restrictions, however it is very large.
>
> Devon B. <mailto:devon.b at virtualcomplete.com>
> Friday, February 20, 2015 11:29 AM
> I'm trying to run AppArmor (2.9.1) against a custom upstream kernel
> (3.18.7) but I'm unable to get mount restrictions working.
>
> According to:
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Mount_rules_.28AppArmor_2.8_and_later.29,
> mount rules should work since 2.8 but I don't see any reference to
> kernel releases or options and the mount rules I have set in my profile
> don't appear to be working.
>
> When starting LXC containers, I receive the error:
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 169 If you really
> want to start this container, set
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 170
> lxc.aa_allow_incomplete = 1
> lxc-start: lsm/apparmor.c: apparmor_process_label_set: 171 in your
> container configuration file
>
> Which I traced back to showing that the upstream kernel doesn't support
> mount restrictions.
>
> Am I missing an option when configuring the kernel or are there any
> patches available for mount restrictions?
>
> Thanks in advance,
> Devon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150227/644427ac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150227/644427ac/attachment-0001.jpg>

More information about the AppArmor mailing list