# Now log in to the container and fix the apparmor init script bug
# around SFS_MOUNTPOINT by modifying /lib/apparmor/rc.apparmor.functions
# to define SFS_MOUNTPOINT="${SECURITYFS}/${MODULE}" at the top of
# is_container_with_internal_policy()
$ lxc exec noshift -- sh -x /lib/apparmor/apparmor.systemd reload
$ lxc exec noshift -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.
/sbin/dhclient
/snap/core/6673/usr/lib/snapd/snap-confine
/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/tcpdump
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.lxd
snap.core.hook.configure
snap.lxd.activate
snap.lxd.benchmark
snap.lxd.buginfo
snap.lxd.check-kernel
snap.lxd.daemon
snap.lxd.hook.configure
snap.lxd.hook.install
snap.lxd.lxc
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
I noticed that confinement inside of LXD containers works fine when shiftfs is disabled:
$ sudo rmmod shiftfs 5.0.0-11- generic/ kernel/ fs/shiftfs. ko .
$ sudo mv /lib/modules/
$ sudo systemctl restart snap.lxd.daemon
$ lxc launch ubuntu-daily:d noshift
Creating noshift
Starting noshift
# Now log in to the container and fix the apparmor init script bug rc.apparmor. functions "${SECURITYFS} /${MODULE} " at the top of with_internal_ policy( )
# around SFS_MOUNTPOINT by modifying /lib/apparmor/
# to define SFS_MOUNTPOINT=
# is_container_
$ lxc exec noshift -- sh -x /lib/apparmor/ apparmor. systemd reload core/6673/ usr/lib/ snapd/snap- confine core/6673/ usr/lib/ snapd/snap- confine/ /mount- namespace- capture- helper lib/NetworkMana ger/nm- dhcp-client. action lib/NetworkMana ger/nm- dhcp-helper lib/connman/ scripts/ dhclient- script lib/snapd/ snap-confine lib/snapd/ snap-confine/ /mount- namespace- capture- helper sbin/tcpdump modprobe/ /kmod update- ns.core update- ns.lxd core.hook. configure lxd.activate lxd.benchmark lxd.check- kernel lxd.hook. configure lxd.hook. install
$ lxc exec noshift -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.
/sbin/dhclient
/snap/
/snap/
/usr/bin/man
/usr/
/usr/
/usr/
/usr/
/usr/
/usr/
man_filter
man_groff
nvidia_modprobe
nvidia_
snap-
snap-
snap.
snap.
snap.
snap.lxd.buginfo
snap.
snap.lxd.daemon
snap.
snap.
snap.lxd.lxc
snap.lxd.lxd
snap.lxd.migrate
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.