Ubuntu
apparmor package

  1. Bug #1295774
  2. Comment #4

Comment 4 for bug 1295774

Revision history for this message
Florian Engelmann (engelmann) wrote :

root@xxxxxxxxx:~# apparmor_parser -vd /etc/apparmor.d/lxc-containers
----- Debugging built structures -----
Name: lxc-container-default
Profile Mode: Enforce
Capabilities: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Quiet Caps: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Network: <all>
--- Entries ---
Mode: rwalkmx:rwalkmx Name: (/{**,})
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//kmem)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//mem)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/fs/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/*/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/[^s][^h][^m]*)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//sysrq-trigger)
 link: (/**)
Mode: walkx:walkx Name: (/sys/[^f]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/f[^s]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/firmware/efi/efivars/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/[^c]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/c[^g]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/cg[^r]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/kernel/security/**)
 link: (/**)

Name: lxc-container-default-with-mounting
Profile Mode: Enforce
Capabilities: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Quiet Caps: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Network: <all>
--- Entries ---
Mode: rwalkmx:rwalkmx Name: (/{**,})
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//kmem)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//mem)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/fs/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/*/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/[^s][^h][^m]*)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//sysrq-trigger)
 link: (/**)
Mode: walkx:walkx Name: (/sys/[^f]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/f[^s]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/firmware/efi/efivars/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/[^c]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/c[^g]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/cg[^r]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/kernel/security/**)
 link: (/**)

Name: lxc-container-default-with-nesting
Profile Mode: Enforce
Capabilities: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Quiet Caps: chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_overridesyslog
Network: <all>
--- Entries ---
Mode: w: Name: (/proc/*/attr/{current,exec})
Mode: rwalkmx:rwalkmx Name: (/{**,})
 link: (/**)
Mode: change_profile: Name: (lxc-*)
Mode: change_profile: Name: (unconfined)
Mode: rwalkx:rwalkx Name: (/proc//kmem)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//mem)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/fs/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/*/**)
 link: (/**)
Mode: walkx:walkx Name: (/proc//sys/kernel/[^s][^h][^m]*)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/proc//sysrq-trigger)
 link: (/**)
Mode: walkx:walkx Name: (/sys/[^f]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/f[^s]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/firmware/efi/efivars/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/[^c]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/c[^g]*/**)
 link: (/**)
Mode: walkx:walkx Name: (/sys/fs/cg[^r]*/**)
 link: (/**)
Mode: rwalkx:rwalkx Name: (/sys/kernel/security/**)
 link: (/**)

root@xxxxxxxxxx:~# apparmor_parser -v /etc/apparmor.d/lxc-containers
Enocoding of mount rule failed
ERROR processing policydb rules for profile lxc-container-default, failed to load