Hi, Actually, it seems AppArmor has support for containers and can have a specific profile for inside the containers only.
Docker does support it: https://docs.docker.com/engine/security/apparmor/ Agree it shouldn't be too hard to hook this into nspawn... I don't really use AppArmor or know it well though, so I'm not best placed to test it... Cheers, Filipe On Thu, Apr 12, 2018 at 2:48 AM, Lennart Poettering <[email protected]> wrote: > On Di, 10.04.18 18:16, Matthias Pfau ([email protected]) wrote: > > > Hi there, > > we use apparmor on our production systems and want to test the setup in > our test environment based on systemd-nspawn. > > > > Therefore, I installed apparmor on the host (debian stretch) and > updated GRUB_CMDLINE_LINUX in /etc/default/grub to enable apparmor. I can > use apparmor on the host system. However, within my containers, apparmor > can not be started. > > > > `journalctl -kf` does not print anything when invoking `systemctl start > apparmor` on the container and `systemctl status apparmor` just returns > "ConditionSecurity=apparmor was not met". > > > > Is it possible to run apparmor in a container? > > Uh, I have no experience with AA but to my knowledge none of the > kernel MACs (AA, SMACK, SELinux) are virtualized for container > environments, i.e. there can only be one system policy, and containers > tend to be managed under a single context only as a whole. > > But I'd be happy to be proved wrong, as I never touched AA, so I don't > really know. > > If AA should indeed be virtualizable for containers then making nspawn > support it is likely very easy, but I have my doubts it is... > > Please contact the AA community, and ask them whether AA containers > can load their own policies. If yes, then please file an RFE issue > against systemd, asking us to add support for this, with links to the > APIs. best chance to get this implemented quickly would be to file a > patch too, we'd be happy to review that. > > Lennart > > -- > Lennart Poettering, Red Hat > _______________________________________________ > systemd-devel mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/systemd-devel >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
