group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1628285] Re: apparmor should be allowed to start in containers

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Thu, 13 Oct 2016 13:56:52 -0000
Reply-to: Bug 1628285 <1628285@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Stéphane, or anyone else affected,

Accepted apparmor into xenial-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.5 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Also affects: apparmor (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: apparmor (Ubuntu Xenial)
       Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1628285

Title:
  apparmor should be allowed to start in containers

Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor source package in Xenial:
  Fix Committed

Bug description:
  Now that we have support for apparmor namespacing and stacking,
  unprivileged containers can and should be allowed to load apparmor
  profiles.

  The following changes are needed at least:
   - Change the systemd unit to remove the "!container" condition
   - Change the apparmor init script, replacing the current simple container check for something along the lines of:
      - If /proc/self/attr/current says "unconfined"
      - And /sys/kernel/security/apparmor/features/domain/stack contains "yes"
      - And /sys/kernel/security/apparmor/features/domain/version is 1.2 or higher
      - Then continue execing the script, otherwise exit 0

  John suggested he could add a file which would provide a more reliable
  way to do this check ^

  
  In either case, we need this change so that containers can behave more like normal systems as far as apparmor is concerned. That change should also be SRUed back to Xenial at the same time the kernel support for stacking is pushed.

  This bug is effectively a blocker for snapd inside LXD as without
  this, snap-confine and snapd itself will not be confined after
  container restart.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1628285/+subscriptions