apparmor in containers (systemd-nspawn)

Asked by Matthias Pfau on 2018-04-12

On a debian stretch host with a working apparmor installation, I created a container (nspawn) and installed apparmor within that container.

Within the container, apparmor can't be started. `systemctl status apparmor` returns "ConditionSecurity=apparmor was not met". I also noted that the whole /sys/modules tree is missing within the container. Invoking `cat /sys/module/apparmor/parameters/enabled` on the host returns "Y".

Is AA virtualizable for containers? E.g. can multiple containers load their own AA profiles? If so, what is exactly needed to run apparmor in a container?

Thanks!

Cheers,
Matthias

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Last query:
2018-04-12
Last reply:
2018-04-23
A. Denton (aquina) said : #1

Generally speaking any given virtualization solution, e.g. LXC has to include some policy for AppArmor. Usually you cannot install Biba+ (or similar) MAC(-alike) systems like AppArmor into a container or especially(!) application-based virtualization like docker. However, SE-Linux-Integration for systemd-nspawn seems to exist, since systemd is a bit "special" in that regard. It can therefore be assumed, that AppArmor also works, correct user-namespaces assumed.

Did https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652101 provide you with more information, Matthias? Maybe its also that a profile has to be loaded to enable AppArmor.

There is a -Z, --selinux-context= and a -L, --selinux-apifs-context= switch documented for systemd-nspawn. Besides there is a --capability= option to add (List one or more additional capabilities to grant the container. Takes a comma-separated list of capability names, see capabilities(7) for more information.) e.g. "CAP_CHOWN", "CAP_DAC_OVERRIDE"... (https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html)

You probably may want to set the right ones for MAC.

Further there is a listing on the web as follows (https://ramsdenj.com/2016/09/23/containerizing-graphical-applications-on-linux-with-systemd-nspawn.html):
$ systemd-nspawn --boot --directory=/var/lib/machines/foo
systemd 231 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization systemd-nspawn. Detected architecture x86-64.

Maybe that is an indicator for more settings/configuration options regarding AppArmor and systemd-nspawn. Good luck!

Can you help with this problem?

Provide an answer of your own, or ask Matthias Pfau for more information if necessary.

To post a message you must log in.