Hello.
Sorry in advance, my English is not good.
I want to be able to use AppArmor in my unprivileged container with its own internal profile.
I know it’s possible because lxd can do it.
I’m on Debian Buster, my container too, the lxc version is 3.0.3.
lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.19.0-5-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled [28/1008]
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/memory
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/freezer
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/blkio
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/pids
/sys/fs/cgroup/devices
/sys/fs/cgroup/rdma
/sys/fs/cgroup/cpuset
Cgroup v2 mount points:
/sys/fs/cgroup/unified
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
When i try to run AppArmor service in a container i obtain the following error message : Not starting AppArmor in container. It’s because lxc not mount securityfs in /sys/kernel/security.
I tried to put in place a solution by adding the following line in container config :
lxc.mount.entry = securityfs sys/kernel/security securityfs ro,nosuid,nodev,noexec,relatime,relative 0 0
It work, but only for privileged containers, the unprivileged containers fail to boot with this error message :
utils.c: safe_mount: 1179 Operation not permitted - Failed to mount "/usr/lib/x86_64-linux-gnu/lxc/rootfs/securityfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/sys/kernel/security"
How do to solve it ?
How LXD can do this ?
Thanks.