This bug is due to lxc using invalid mount rules according to the specification.
`man 5 apparmor.d` ==> `[mountpoint] must start with ’/’ (after variable expansion)`.
We can find such problematic rules in `src/lxc/lsm/apparmor.c` and config/apparmor/abstractions/{start-container.in,container-base,container-base.in}
$ cd lxc
$ grep -r '\-> \*\*,'
config/apparmor/abstractions/start-container.in: mount options=(rw, make-slave) -> **,
config/apparmor/abstractions/start-container.in: mount options=(rw, make-rslave) -> **,
[...]
src/lxc/lsm/apparmor.c:" mount options=(rw,make-unbindable) -> **,\n"
src/lxc/lsm/apparmor.c:" mount options=(rw,make-runbindable) -> **,\n"
[...]
$ grep -r '\-> \*\*,'|wc -l
36
Although this restriction is only enforced in AppArmor since version 4.0, similar restrictions have always been in place for files: `/** ix,` is a valid rule but `** ix` is not. Therefore, IMHO, the best way to handle this issue would be to create a merge request for lxc to update their rules (hence not making any change to AppArmor, since the rule is indeed invalid).
@jjohansen Would you agree with this approach ?
Side note: In man apparmor.d, we also find
`mount,
the 'mount' rule without any conditionals is the most generic and allows any mount. Equivalent to 'mount fstype=** options=** ** -> /**'.`
IMO we should remove the sentence `Equivalent to 'mount fstype=** options=** ** -> /**'` since this rule is very invalid, even for apparmor_parser and could confuse AppArmor users.
This bug is due to lxc using invalid mount rules according to the specification.
`man 5 apparmor.d` ==> `[mountpoint] must start with ’/’ (after variable expansion)`.
We can find such problematic rules in `src/lxc/ lsm/apparmor. c` and config/ apparmor/ abstractions/ {start- container. in,container- base,container- base.in}
$ cd lxc apparmor/ abstractions/ start-container .in: mount options=(rw, make-slave) -> **, apparmor/ abstractions/ start-container .in: mount options=(rw, make-rslave) -> **, lxc/lsm/ apparmor. c:" mount options= (rw,make- unbindable) -> **,\n" lxc/lsm/ apparmor. c:" mount options= (rw,make- runbindable) -> **,\n"
$ grep -r '\-> \*\*,'
config/
config/
[...]
src/
src/
[...]
$ grep -r '\-> \*\*,'|wc -l
36
Although this restriction is only enforced in AppArmor since version 4.0, similar restrictions have always been in place for files: `/** ix,` is a valid rule but `** ix` is not. Therefore, IMHO, the best way to handle this issue would be to create a merge request for lxc to update their rules (hence not making any change to AppArmor, since the rule is indeed invalid).
@jjohansen Would you agree with this approach ?
Side note: In man apparmor.d, we also find
`mount,
the 'mount' rule without any conditionals is the most generic and allows any mount. Equivalent to 'mount fstype=** options=** ** -> /**'.`
IMO we should remove the sentence `Equivalent to 'mount fstype=** options=** ** -> /**'` since this rule is very invalid, even for apparmor_parser and could confuse AppArmor users.