apparmor should quietly return success in a container

Bug #978297 reported by Serge Hallyn
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Serge Hallyn
Precise
Fix Released
High
Serge Hallyn
upstart (Ubuntu)
Fix Released
High
Serge Hallyn
Precise
Fix Released
High
Serge Hallyn

Bug Description

In precise, containers are not allowed to load profiles. This will be allowed later, but for now apparmor should not prevent things from starting in a container because of failures to load or transition to profiles.

1. /etc/init.d/apparmor should return 0 if in a container

2. /lib/init/apparmor-profile-load should do nothing and return 0 if in a container.

Since the container is already locked into a (customizable) container profile, this is ok.

(Note that admins can have containers running unconfined and with all
capabilities, but that is a special case.)

THis is needed for bug 978147.

Changed in apparmor (Ubuntu):
status: New → In Progress
Changed in upstart (Ubuntu):
status: New → In Progress
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in upstart (Ubuntu):
importance: Undecided → High
Changed in apparmor (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
Changed in upstart (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
Dave Walker (davewalker)
tags: added: rls-mgr-p-tracking
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is Serge's patch.

Changed in upstart (Ubuntu Precise):
milestone: none → ubuntu-12.04
Changed in apparmor (Ubuntu Precise):
milestone: none → ubuntu-12.04
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, tested this and compared the output of 'aa-status' before and after a reboot. All the profiles are loaded on reboot with the new upstart. Verified that /lib/init/apparmor-profile-load was updated on upgrade. Comparing build logs between 1.5-0ubuntu3 and 1.5-0ubuntu4 (ie, this patch) shows no surprises. Comparing binaries between the same two versions show no surprises either.

I did not test this in containers, but Serge did before giving me the patch and the logic in the script is obvious.

Uploaded to unapproved.

Changed in upstart (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart - 1.5-0ubuntu4

---------------
upstart (1.5-0ubuntu4) precise; urgency=low

  * debian/apparmor-profile-load: don't run in a container. This can
    hopefully be removed after stacked profiles are supported and
    used by lxc. (LP: #978297)
 -- Serge Hallyn <email address hidden> Tue, 10 Apr 2012 14:55:41 -0500

Changed in upstart (Ubuntu Precise):
status: Fix Committed → Fix Released
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.102-0ubuntu3

---------------
apparmor (2.7.102-0ubuntu3) precise; urgency=low

  [ Jamie Strandboge ]
  * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5)
    to describe Ubuntu's two-stage policy load and how to add utilize it
    when developing policy (LP: #974089)

  [ Serge Hallyn ]
  * debian/apparmor.init: do nothing in a container. This can be
    removed once stacked profiles are supported and used by lxc.
    (LP: #978297)

  [ Steve Beattie ]
  * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping
    for change_profile onexec (LP: #963756)
  * debian/patches/0009-apparmor-lp959560-part1.patch,
    debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser
    to support the 'in' keyword for value lists, and make mount
    operations aware of 'in' keyword so they can affect the flags build
    list (LP: #959560)
  * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing
    exec events in complain mode (LP: #872446)
  * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in
    dovecot imap-login profile (LP: #978584)
  * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor
    log parsing library from dropping apparmor network events that
    contain ip addresses or ports in them (LP: #800826)
  * debian/patches/0014-apparmor-lp979095.patch: document new mount rule
    syntax and usage in apparmor.d(5) manpage (LP: #979095)
  * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec
    for profiles without attachment specification (LP: #963756,
    LP: #978038)
  * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when
    loading policy to kernels without compat patches (LP: #968956)
  * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to
    grant access to /proc/attr api (LP: #979135)
 -- Steve Beattie <email address hidden> Thu, 12 Apr 2012 06:17:42 -0500

Changed in apparmor (Ubuntu Precise):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.