[Bug 978297] Re: apparmor should quietly return success in a container
Launchpad Bug Tracker
978297 at bugs.launchpad.net
Thu Apr 12 16:27:01 UTC 2012
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3
---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low
[ Jamie Strandboge ]
* debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
to describe Ubuntu's two-stage policy load and how to add utilize it
when developing policy (LP: #974089)
[ Serge Hallyn ]
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
[ Steve Beattie ]
* debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
for change_profile onexec (LP: #963756)
* debian/patches/0009-apparmor-lp959560-part1.patch,
debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
to support the 'in' keyword for value lists, and make mount
operations aware of 'in' keyword so they can affect the flags build
list (LP: #959560)
* debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
exec events in complain mode (LP: #872446)
* debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
dovecot imap-login profile (LP: #978584)
* debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
log parsing library from dropping apparmor network events that
contain ip addresses or ports in them (LP: #800826)
* debian/patches/0014-apparmor-lp979095.patch: document new mount rule
syntax and usage in apparmor.d(5) manpage (LP: #979095)
* debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
for profiles without attachment specification (LP: #963756,
LP: #978038)
* debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
loading policy to kernels without compat patches (LP: #968956)
* debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
grant access to /proc/attr api (LP: #979135)
-- Steve Beattie <sbeattie at ubuntu.com> Thu, 12 Apr 2012 06:17:42 -0500
** Changed in: apparmor (Ubuntu Precise)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/978297
Title:
apparmor should quietly return success in a container
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “upstart” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Precise:
Fix Released
Status in “upstart” source package in Precise:
Fix Released
Bug description:
In precise, containers are not allowed to load profiles. This will be
allowed later, but for now apparmor should not prevent things from
starting in a container because of failures to load or transition to
profiles.
1. /etc/init.d/apparmor should return 0 if in a container
2. /lib/init/apparmor-profile-load should do nothing and return 0 if
in a container.
Since the container is already locked into a (customizable) container
profile, this is ok.
(Note that admins can have containers running unconfined and with all
capabilities, but that is a special case.)
THis is needed for bug 978147.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/978297/+subscriptions
More information about the foundations-bugs
mailing list