lxc ships apparmor config that confuses aa-logprof
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Maxime Bélair | ||
lxc |
New
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Noble |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
== Summary ==
liblxc-
aa-logprof chokes on those files on loading, and therefore is not usable at all.
Possible solutions:
1. aa-logprof should ignore those files, instead of exiting with an error.
2. aa-logprof should support the new config sematics (if that is actually valid)
3. liblxc should not distribute unsupported files.
== Long description:==
# aa-logprof
ERROR: Can't parse mount rule mount options=(rw, make-slave) -> **,
Apparently there are files:
# grep -R make-slave /etc/apparmor.d/*
/etc/apparmor.
/etc/apparmor.
Note that the 2nd file "container-base" has that commented out with some comment
" # allow paths to be made slave, shared, private or unbindable
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
"
The 1st file "start-container" uses this command, but prefixed with:
# currently blocked by apparmor bug
step-by step commenting this resulted in other commands that fail.
also, at one point, they are including duplicate files:
# aa-logprof
AppArmor-Profile in /etc/apparmor.d werden aktualisiert.
ERROR: Conflicting profiles for /usr/bin/lxc-start defined in two files:
- /etc/apparmor.
- /etc/apparmor.
Note that these files are identical. specifically, the "usr.bin.lxc-copy" contains "/usr/bin/
At this point I stopped and purged lxc, and waydroid (which was using it) for now
affects: | launchpad-report-tool → lxc |
Changed in apparmor: | |
assignee: | nobody → Maxime Bélair (mbelair) |
The answer is 2 (support) then 1 (ignore and warn/treat like a comment if it doesn't understand).
What is the version of apparmor, or distro release you are seeing this on? aa-logprof has had work recently to support mount rules (eg. https:/ /gitlab. com/apparmor/ apparmor/ -/merge_ requests/ 1195, and a few others) and before this should have been accepting and ignoring them).