On Tue, 4 Jun 2019, John Johansen wrote: > system as a whole is still being protected by selinux. Similar requests > have been made for lxd doing system containers. lxd currently supports > nested apparmor, so on an ubuntu system you can run suse container, > where the ubuntu host is enforcing policy and the suse container is > loading and enforcing its policy as well. In this case the policy of the > container is bounded by the policy of the host. The goal is to be able > to the same with selinux and smack based systems, LSM stacking is of > course only part of what is required to make this work. Interesting. So you're stacking apparmor with itself, and one is the container instance? And you add another stacked apparmor for a 2nd container etc. ? > Ubuntu actually has a very small apparmor delta these days, and we are > working on eliminating it entirely. There are no patches in Ubuntu that > require new hooks. As for the delta wrt to the stacking work, Ubuntu has > pulled in a subset of this delta and has been shipping kernels with > stacking enabled for 4 releases now and apparmor development is done > with LSM stacking in mind. A subset of these patches from Casey? -- James Morris <jmorris@xxxxxxxxx>
