Fedora 26 LXD container: cannot load apparmor profile

Bug #1719747 reported by Cris Dywan
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

In a Fedora 26 LXD container (images:fedora/26/amd64, with squashfuse built from source)

$ sudo snap install htop
error: cannot perform the following tasks:
- Setup snap "core" (2898) security profiles (cannot setup apparmor for snap "core": cannot load apparmor profile "snap.core.hook.configure": cannot load apparmor profile: exec: "apparmor_parser": executable file not found in $PATH
apparmor_parser output:
- Setup snap "core" (2898) security profiles (cannot load apparmor profile "snap.core.hook.configure": cannot load apparmor profile: exec: "apparmor_parser": executable file not found in $PATH
apparmor_parser output:

$ apparmor_parser
bash: apparmor_parser: command not found

There's some AppArmor files bleeding into the container:
However, even mocking them out via 'sudo mount -t tmpfs none /sys/module/; sudo mount -t tmpfs none /sys/kernel/security/' the problem persists.

Work-around: sudo ln -s /usr/bin/true /usr/bin/apparmor_parser

Revision history for this message
John Johansen (jjohansen) wrote :

can you correct me if my interpretation of your setup is wrong?

the host is ubuntu with apparmor enabled.
the container is fedora 26
the snap is being installed in the fedora container

and can you provide the output of
  cat /sys/module/apparmor/parameters/enabled

So first up
  /sys/module/apparmor will showup if apparmor is builtin to the kernel regardless of whether apparmor is enabled. This will always appear on Ubuntu kernels and several other distro kernels

  /sys/kernel/security/apparmor will only show up if it is the registered LSM on the system.

if I am correct about your setup, then I can explain what is happening.
Containers and hosts share a kernel, and the LSM is not namespaced or virtualized, so the LSM enabled on the host is the LSM for the container as well.

Your fedora container does not have the apparmor package installed so it is not trying to load apparmor policy and it is missing the apparmor_parser.

Snappy detects the kernel supports apparmor and tries to load the policy for the snap and fails.

Unfortunately at this time while apparmor supports policy namespaces and stacking with it self. It does not support virtualizing whether it is enabled for a given policy namespace. This means that because the kernel has apparmor enabled, the container even when setup with see apparmor enabled.

The virtualization of the apparmor module parameters is scheduled to land in the 4.15 kernel and will be backported into the current ubuntu kernels as some point. Until then a bind mount in the container over /sys/module/apparmor/parameters/enabled to a file that contains just 'N' should make apparmor appear to be disabled (assuming snappy is using the standard checks for apparmor).

Revision history for this message
John Johansen (jjohansen) wrote :

Or you could install the apparmor package, and have apparmor confinement of the snap on the fedora system.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, what is the output of 'snap version'?

Revision history for this message
Cris Dywan (kalikiana) wrote :

Thank you for your reply! You're right, the host is Ubuntu, 16.04.2. I should've mentioned that.

On the Ubuntu host

$ cat /sys/module/apparmor/parameters/enabled

$ snap version
snap 2.28
snapd 2.28
series 16
ubuntu 16.04
kernel 4.4.0-87-generic

In the Fedora container

# cat /sys/module/apparmor/parameters/enabled

# snap version
snap 2.27.6-1.fc26
snapd 2.27.6-1.fc26
series 16
fedora 26
kernel 4.4.0-87-generic

Unfortunately there isn't an "apparmor" package on Fedora... perhaps snapd should/ could be aware of this situation and eg. detect that apparmor isn't installed even if it's seemingly enabled?

Michael Vogt (mvo)
Changed in snappy:
status: New → Triaged
importance: Undecided → High
Michael Vogt (mvo)
affects: snappy → snapd
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.