On 6/5/19 1:53 PM, James Morris wrote: > On Tue, 4 Jun 2019, John Johansen wrote: > >> Yes, on Ubuntu & suse you can lauch lxd system containers with the >> container having a system policy bounding the container, and the container >> having its own apparmor policy namespace. So it loads and has its own >> policy that is enforced. >> >> This allows for us to run older versions of ubuntu (say 16.04) on an >> 18.04 host, and have the 16.04 policy behave just as if it was the host. > > How well does the LSM stacking scale to 100s or more containers? > Actually really well, The cost isn't really based on how many containers but how many LSMs are registered and how nested we are. How we are currently handling it is apparmor is registered once, and it is responsible for looping on its bounding. So for tasks that are not in the container there is no additional cost. For tasks in the first container, there is an extra cost of enforcing the extra layer of apparmor policy loaded in the container. If you do container in container there are two extra levels of apparmor policy. This does rely on apparmor doing its own namespacing and bounding. LSM stacking just allows us to start doing this with apparmor containers on smack and selinux based systems. >> This approach won't be an option for the 19.10 release and we will be >> needing the full patchset. I should be able to provide some benchmark >> and testing data soon. > > Great. >