network-interface-security upstart job is not container aware
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ifupdown (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
The network-
I don't see any negative side effects from this behavior, so I don't think this is a high priority bug. If this were to be fixed, the upstart job would need to check to see if it is running inside of a container and, if so, if the container is capable of loading its own AppArmor security policy. See https:/
This behavior can be seen with a 16.04 host, running lxd from either the archive or as a snap, and launching a 14.04 container. aa-status inside of the container will show:
$ lxd.lxc exec t aa-status
apparmor module is loaded.
3 profiles are loaded.
3 profiles are in enforce mode.
/sbin/dhclient
/usr/
/usr/
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/sbin/dhclient (810)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.