Re: [vserver] VServer and AppArmor ? - [runs half way]:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [vserver] VServer and AppArmor ? - [runs half way]

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Sun 04 Dec 2016 - 01:43:51 GMT
Message-ID: <20161204014351.GA27461@MAIL.13thfloor.at>

On Sat, Dec 03, 2016 at 08:21:06PM +0100, Christian Recktenwald wrote:
> On Fri, Dec 02, 2016 at 12:59:52PM +0100, Christian Recktenwald wrote:
>> Can one use AppArmor with VServer?
>> Any resources, experiances, tips on that one?

Hey,

> I tried:
> debian 8.6
> Linux 3.10.104-vs2.3.6.9+lihas1 x86_64

> aa-status failes with:
> "apparmor module is loaded.
> You do not have enough privilege to read the profile set."

> according to strace this is beacuse
> /sys/kernel/security/apparmor/profiles
> is missing:
> access("/sys/kernel/security/apparmor/profiles", R_OK) = -1 ENOENT (No such file or directory)
> write(2, "You do not have enough privilege"..., 58You do not have enough privilege to read the profile set.
> ) = 58

And is it missing?

> # ls -al /sys/kernel/security/apparmor
> total 0
> drwxr-xr-x 3 root root 0 Dec 3 19:21 .
> drwxr-xr-x 3 root root 0 Dec 3 19:21 ..
> -rw-r----- 1 root root 0 Dec 3 19:21 .load
> -rw-r----- 1 root root 0 Dec 3 19:21 .remove
> -rw-r----- 1 root root 0 Dec 3 19:21 .replace
> drwxr-xr-x 5 root root 0 Dec 3 19:21 features

> grep -i AppArmor /boot/config-3.10.104-vs2.3.6.9+lihas1
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> # CONFIG_DEFAULT_SECURITY_APPARMOR is not set

> cat /proc/cmdline
> root=/dev/mapper/servvg-lv01root ro apparmor=1 security=apparmor

> _but_ I can load rulesets and they seem to work: if I load
> a ruleset let's say for /usr/bin/mutt on the host it works
> inside all vservers in the same way - so no namespacing
> whatsoever.

Well, I guess there is no 'app-armor' namespace to
unshare and Linux-VServer certainly does not isolate
or virtualize apparmor either so kind of expected.

> as for now there is exactly one vserver where I have to do
> this, so it works for me.

Excellent!

Best,
Herbert

> --
> LiHAS - Adrian Reyer - Hessenwiesenstraße 10 - D-70565 Stuttgart
> Fon: +49 (7 11) 78 28 50 90 - Fax: +49 (7 11) 78 28 50 91
> Mail: lihas_at_lihas.de - Web: http://lihas.de
> Linux, Netzwerke, Consulting & Support - USt-ID: DE 227 816 626 Stuttgart
Received on Sun Dec 4 01:43:45 2016

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 04 Dec 2016 - 01:43:45 GMT by hypermail 2.1.8