Comment 11 for bug 1844186

Revision history for this message
Simon Déziel (sdeziel) wrote :

Tests results on Bionic:

Bionic/4.15:

$ uname -a
Linux c2d.mgmt.sdeziel.info 4.15.0-64-generic #73+lp1844186 SMP Thu Sep 26 15:17:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: works!

Bionic/5.0:

$ uname -a
Linux c2d.mgmt.sdeziel.info 5.0.0-8-generic #9+lp1844186 SMP Thu Sep 26 15:03:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

*result*: doesn't work/couldn't test properly. That kernel doesn't let me load an Apparmor policy in the container:

root@ns0:~# aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.

Maybe it's just too old or the kernel isn't compatible with the Apparmor version from Bionic? The binary/service starts fine with NoNewPrivileges=yes but there is no Apparmor policy loaded in the container, only in the host.