Ubuntu
lxc package

Unable to load another apparmor profile from /etc/apparmor.d/lxc/

Bug #969228 reported by Stéphane Graber
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
High
Unassigned
lxc (Ubuntu)
Fix Released
High
Unassigned

Bug Description

I'm trying to set another apparmor profile for a specific container, so I set lxc.aa_profile to lxc-upgrader01 and simply copied the default profile for now, but when reloading apparmor it fails...

=====
root@athos:/etc/apparmor.d/lxc# ls
lxc-default
root@athos:/etc/apparmor.d/lxc# /etc/init.d/apparmor reload
 * Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: sbin.dhclient
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
                                                                                                                                                                            [ OK ]
root@athos:/etc/apparmor.d/lxc# dmesg -c
[123440.717875] type=1400 audit(1333115077.171:102): apparmor="STATUS" operation="profile_replace" name="/usr/bin/lxc-start" pid=19479 comm="apparmor_parser"
[123440.743692] type=1400 audit(1333115077.195:103): apparmor="STATUS" operation="profile_replace" name="lxc-container-default" pid=19477 comm="apparmor_parser"
[123440.908215] type=1400 audit(1333115077.363:104): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/ntpd" pid=19480 comm="apparmor_parser"
[123440.947041] type=1400 audit(1333115077.399:105): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/tcpdump" pid=19482 comm="apparmor_parser"
root@athos:/etc/apparmor.d/lxc# mv /root/lxc-upgrader01 .
root@athos:/etc/apparmor.d/lxc# diff -Nrup lxc-default lxc-upgrader01
--- lxc-default 2012-03-30 13:38:30.966724366 +0000
+++ lxc-upgrader01 2012-03-30 13:38:49.389578258 +0000
@@ -1,6 +1,7 @@
 #include <tunables/global>

-profile lxc-container-default flags=(attach_disconnected) {
+profile lxc-container-upgrader01 flags=(attach_disconnected) {
+
   network,
   capability,
   file,
root@athos:/etc/apparmor.d/lxc# /etc/init.d/apparmor reload
 * Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: sbin.dhclient
AppArmor parser error for /etc/apparmor.d/lxc-containers in /etc/apparmor.d/tunables/home at line 16: syntax error, unexpected TOK_SET_VAR, expecting TOK_ID
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
                                                                                                                                                                            [fail]
root@athos:/etc/apparmor.d/lxc# dmesg -c
[123465.749549] type=1400 audit(1333115102.202:106): apparmor="STATUS" operation="profile_replace" name="/usr/bin/lxc-start" pid=20414 comm="apparmor_parser"
[123465.968228] type=1400 audit(1333115102.422:107): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/ntpd" pid=20415 comm="apparmor_parser"
[123465.984424] type=1400 audit(1333115102.438:108): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/tcpdump" pid=20421 comm="apparmor_parser"
[123466.025319] type=1400 audit(1333115102.478:109): apparmor="STATUS" operation="profile_remove" name="lxc-container-default" pid=20561 comm="apparmor"
root@athos:/etc/apparmor.d/lxc# ls
lxc-default lxc-upgrader01
root@athos:/etc/apparmor.d/lxc#

Related branches

lp:ubuntu/precise/lxc
Revision history for this message
Stéphane Graber (stgraber) wrote :

Also opening against apparmor as it's not clear whether it's lxc's or apparmor's fault.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Oh, this might be my fault. If you remove the

#include <tunables/global>

from your new profile, does that work?

Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in lxc (Ubuntu):
importance: Undecided → High
status: New → Incomplete
Changed in apparmor (Ubuntu):
status: New → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

If I pull the #include <tunables/global> from both container profiles and put it at top of /etc/apparmor.d/lxc-containers, then it works.

I don't want to lose the ability for users to load just a new container profile. But as there's on #ifdef I can trigger the #include on, perhaps it's best to tell users to either /etc/init.d/apparmor reload, or apparmor_parser -r /etc/apparmor.d/lxc-containers.

Changed in lxc (Ubuntu):
status: Incomplete → Confirmed
Changed in apparmor (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi, can you attach the profiles in question? That will help in diagnosing the issue.

Revision history for this message
Stéphane Graber (stgraber) wrote :
Revision history for this message
Stéphane Graber (stgraber) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu48

---------------
lxc (0.7.5-3ubuntu48) precise; urgency=low

  * debian/lxc-default.apparmor: explicitly silence warnings about attempting
    to mount debugfs to /var/lib/ureadahead/debugfs/.
  * 0066-confile-typo: fix typo
  * debian/lxc.apparmor: allow transition to unconfined
  * 0067-templates-lxc-profile: leave a comment in container configs we
    create to show how to run it unconfined
  * debian/lxc-containers.apparmor: move #include <tunables/global> from
    debian/lxc-default.apparmor here to prevent policy loading errors when
    more container profiles are defined (LP: #969228)
  * debian/lxc-default.apparmor: remove obsolete FIXME comment
 -- Serge Hallyn <email address hidden> Fri, 30 Mar 2012 15:35:07 -0500

Changed in lxc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.