[apparmor] Regarding apparmor in container
John Johansen
john.johansen at canonical.com
Tue Oct 20 20:51:59 UTC 2020
On 10/20/20 12:55 PM, Simon Deziel wrote:
> On 2020-10-20 3:46 p.m., swarna latha wrote:
>> Thanks john for the quick reply..
>>
>> My kernel version is 4.1.51-1.19
>>
>> Tried below logging options, but didnt help. Not able to get logs, what is
>> blocking apparmor to play video.
>> echo -n "noquiet" /sys/module/apparmor/parameters/audit
>> echo 0> /sys/module/apparmor/parameters/debug
>
> So far, what I've seen with containers is that dmesg/kernel logs are
> only visible from the host's context, not the containers themselves.
>
this is usually true. In addition are you getting no apparmor logs, or
just no apparmor log for this issue. Those are two different things to
debug.
With that said I suspect the issue is NO_NEW_PRIVS, see prctl(2). When
that is set apparmor can not transition its profile, and will fail execs
that request a profile transition.
Looking at the 4.1 kernel apparmor is not auditing NO_NEW_PRIVS
causing a failure in profile transitions (its an external restriction
and not exactly part of apparmor). Which would also align with what
you are seeing.
When it comes to NO_NEW_PRIVS on the 4.1 kernel you basically have
three choices.
1. Don't transition the profile, use ix
2. transition the profile before the container does
prctl(PR_SET_NO_NEW_PRIVS).
3. If a container task is unconfined it can transition into a
profile even after NO_NEW_PRIVS is set but once it does that it
won't be able to transition the profile again.
More information about the AppArmor
mailing list