network-interface-security upstart job is not container aware

Bug #1640868 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ifupdown (Ubuntu)
Triaged
Low
Unassigned

Bug Description

The network-interface-security upstart job unconditionally loads the usr.sbin.dhclient AppArmor profile even if the job is running in a LXC/LXD container that cannot load AppArmor policy.

I don't see any negative side effects from this behavior, so I don't think this is a high priority bug. If this were to be fixed, the upstart job would need to check to see if it is running inside of a container and, if so, if the container is capable of loading its own AppArmor security policy. See https://launchpad.net/ubuntu/+source/apparmor/2.10.95-4ubuntu5 for an example of what this would look like.

This behavior can be seen with a 16.04 host, running lxd from either the archive or as a snap, and launching a 14.04 container. aa-status inside of the container will show:

$ lxd.lxc exec t aa-status
apparmor module is loaded.
3 profiles are loaded.
3 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (810)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Tyler Hicks (tyhicks)
description: updated
Tyler Hicks (tyhicks)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.