Public bug reported:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
local ns_stacked
local ns_name
if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
return 1
fi
read -r ns_stacked < "$ns_stacked_path"
if [ "$ns_stacked" != "yes" ]; then
return 1
fi
# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
# "lxc-", respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
return 0
}
This can be fixed by adjusting it to have:
# LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
# "lxc-", and "incus-" respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ] && \
[ "${ns_name#incus-*}" = "$ns_name" ] ; then
return 1
fi
References:
* https://github.com/lxc/incus/issues/740
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Focal)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu Jammy)
Importance: Undecided
Status: New
** Description changed:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
+ is_container_with_internal_policy() {
+ # this function is sometimes called independently of
+ # is_apparmor_loaded(), so also define this here.
+ local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
+ local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
+ local ns_stacked
+ local ns_name
- is_container_with_internal_policy() {
- # this function is sometimes called independently of
- # is_apparmor_loaded(), so also define this here.
- local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
- local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
- local ns_stacked
- local ns_name
+ if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+ return 1
+ fi
- if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
- return 1
- fi
+ read -r ns_stacked < "$ns_stacked_path"
+ if [ "$ns_stacked" != "yes" ]; then
+ return 1
+ fi
- read -r ns_stacked < "$ns_stacked_path"
- if [ "$ns_stacked" != "yes" ]; then
- return 1
- fi
+ # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+ # "lxc-", respectively. Return non-zero for all other namespace
+ # identifiers.
+ read -r ns_name < "$ns_name_path"
+ if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+ [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+ return 1
+ fi
- # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
- # "lxc-", respectively. Return non-zero for all other namespace
- # identifiers.
- read -r ns_name < "$ns_name_path"
- if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
- [ "${ns_name#lxc-*}" = "$ns_name" ]; then
- return 1
- fi
-
- return 0
+ return 0
}
- ```
This can be fixed by adjusting it to have:
- ```
- # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
- # "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
- # identifiers.
- read -r ns_name < "$ns_name_path"
- if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
- [ "${ns_name#lxc-*}" = "$ns_name" ] && \
- [ "${ns_name#incus-*}" = "$ns_name" ] ; then
- return 1
- fi
- return 0
+ # LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
+ # "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
+ # identifiers.
+ read -r ns_name < "$ns_name_path"
+ if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+ [ "${ns_name#lxc-*}" = "$ns_name" ] && \
+ [ "${ns_name#incus-*}" = "$ns_name" ] ; then
+ return 1
+ fi
References:
* https://github.com/lxc/incus/issues/740
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2060535
Title:
apparmor's is_container_with_internal_policy() does not recognize
incus
Status in apparmor package in Ubuntu:
New
Status in apparmor source package in Bionic:
New
Status in apparmor source package in Focal:
New
Status in apparmor source package in Jammy:
New
Status in apparmor source package in Noble:
New
Bug description:
apparmor is not loading for Ubuntu containers under incus. This is due
to `/lib/apparmor/rc.apparmor.functions` (18.04 uses
`/lib/apparmor/functions`):
is_container_with_internal_policy() {
# this function is sometimes called independently of
# is_apparmor_loaded(), so also define this here.
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
local ns_stacked
local ns_name
if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
return 1
fi
read -r ns_stacked < "$ns_stacked_path"
if [ "$ns_stacked" != "yes" ]; then
return 1
fi
# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
# "lxc-", respectively. Return non-zero for all other namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ]; then
return 1
fi
return 0
}
This can be fixed by adjusting it to have:
# LXD, LXC and incus set up AppArmor namespaces starting with "lxd-",
# "lxc-", and "incus-" respectively. Return non-zero for all other
namespace
# identifiers.
read -r ns_name < "$ns_name_path"
if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
[ "${ns_name#lxc-*}" = "$ns_name" ] && \
[ "${ns_name#incus-*}" = "$ns_name" ] ; then
return 1
fi
References:
* https://github.com/lxc/incus/issues/740
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060535/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
