Source: lxc Version: 1:1.0.8-1 Severity: normal Ohai!
LXC in Stretch/Sid (but also in Jessie) is compiled with AppArmor support. However, the code will check for the existence of the mount restrictions feature (by trying to open /sys/kernel/security/apparmor/features/mount/mask) and silently fail if this is not possible. See [1][2] for the actual code. That would be okay, if the start of an LXC container which has lxc.aa_profile set to someting sensible (like lxc-container-default) would tell the user that the requested config could not be fullfilled. But it does not. The container will start just fine and the user will only notice the fact from looking at "ps auxZ" and seeing the container being placed into the lxc-start label instead of the lxc-container-default one. Please note that upstream has changed this behaviour in 7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef ([3] in lxc 1.1.0) to warn the user and still enable the working AppArmor features. Greets Evgeni [1] https://sources.debian.net/src/lxc/1:1.0.8-1/src/lxc/lsm/apparmor.c/#L43 [2] https://sources.debian.net/src/lxc/1:1.0.6-6%2Bdeb8u2/src/lxc/lsm/apparmor.c/#L43 [3] https://github.com/lxc/lxc/commit/7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
