Ubuntu
apparmor package

apparmor's is_container_with_internal_policy() does not recognize incus

  1. Focal (20.04)
  2. Bug #2060535
Bug #2060535 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Triaged
Undecided
Unassigned
Focal
Triaged
Undecided
Unassigned
Jammy
Triaged
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

apparmor is not loading for Ubuntu containers under incus. This is due to `/lib/apparmor/rc.apparmor.functions` (18.04 uses `/lib/apparmor/functions`):

is_container_with_internal_policy() {
    # this function is sometimes called independently of
    # is_apparmor_loaded(), so also define this here.
    local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
    local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
    local ns_stacked
    local ns_name

    if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
        return 1
    fi

    read -r ns_stacked < "$ns_stacked_path"
    if [ "$ns_stacked" != "yes" ]; then
        return 1
    fi

    # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
    # "lxc-", respectively. Return non-zero for all other namespace
    # identifiers.
    read -r ns_name < "$ns_name_path"
    if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
       [ "${ns_name#lxc-*}" = "$ns_name" ]; then
        return 1
    fi

    return 0
}

This can be fixed by adjusting it to have:

    # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
    # "lxc-", and "incus-" respectively. Return non-zero for all other namespace
    # identifiers.
    read -r ns_name < "$ns_name_path"
    if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
       [ "${ns_name#lxc-*}" = "$ns_name" ] && \
       [ "${ns_name#incus-*}" = "$ns_name" ] ; then
        return 1
    fi

References:
* https://github.com/lxc/incus/issues/740

See original description
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

https://gitlab.com/apparmor/apparmor/-/commit/659a187687fc8802045c113da0d12bc4b836d591 was committed upstream for this. It would be nice if this was SRU'd.

Changed in apparmor (Ubuntu Noble):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is already available in noble. An SRU for jammy and focal (and ideally bionic) would be nice.

Changed in apparmor (Ubuntu Bionic):
status: New → Triaged
Changed in apparmor (Ubuntu Focal):
status: New → Triaged
Changed in apparmor (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note that after this fix, snapd in containers needs to be at >= 2.62 for apparmor policy to load (snapd's snapd-apparmor needs the corresponding fix as this bug). This is currently in the candidate channel.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.