Hi, Actually, it seems AppArmor has support for containers and can have a specific profile for inside the containers only. Docker does support it: https://docs.docker.com/engine/security/apparmor/ Agree it shouldn't be too hard to hook this into nspawn... I don't really use AppArmor or know it well though, so I'm not best placed to test it... Cheers, Filipe On Thu, Apr 12, 2018 at 2:48 AM, Lennart Poettering <lennart at poettering.net> wrote: > On Di, 10.04.18 18:16, Matthias Pfau (matthias at tutanota.de) wrote: > > > Hi there, > > we use apparmor on our production systems and want to test the setup in > our test environment based on systemd-nspawn. > > > > Therefore, I installed apparmor on the host (debian stretch) and > updated GRUB_CMDLINE_LINUX in /etc/default/grub to enable apparmor. I can > use apparmor on the host system. However, within my containers, apparmor > can not be started. > > > > `journalctl -kf` does not print anything when invoking `systemctl start > apparmor` on the container and `systemctl status apparmor` just returns > "ConditionSecurity=apparmor was not met". > > > > Is it possible to run apparmor in a container? > > Uh, I have no experience with AA but to my knowledge none of the > kernel MACs (AA, SMACK, SELinux) are virtualized for container > environments, i.e. there can only be one system policy, and containers > tend to be managed under a single context only as a whole. > > But I'd be happy to be proved wrong, as I never touched AA, so I don't > really know. > > If AA should indeed be virtualizable for containers then making nspawn > support it is likely very easy, but I have my doubts it is... > > Please contact the AA community, and ask them whether AA containers > can load their own policies. If yes, then please file an RFE issue > against systemd, asking us to add support for this, with links to the > APIs. best chance to get this implemented quickly would be to file a > patch too, we'd be happy to review that. > > Lennart > > -- > Lennart Poettering, Red Hat > _______________________________________________ > systemd-devel mailing list > systemd-devel at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180412/67d9fa18/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4851 bytes Desc: S/MIME Cryptographic Signature URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180412/67d9fa18/attachment.bin>
Apparmor in containers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Apparmor in containers
- From: filbranden@xxxxxxxxxx (Filipe Brandenburger)
- Date: Thu, 12 Apr 2018 08:18:41 -0700
- In-reply-to: <20180412094821.GA21962@gardel-login>
- References: <L9kL5ls--3-0@tutanota.de> <20180412094821.GA21962@gardel-login>
- References:
- Apparmor in containers
- From: Matthias Pfau
- Apparmor in containers
- From: Lennart Poettering
- Apparmor in containers
- Prev by Date: Using lldb in coredumpctl?
- Next by Date: Changed ordering of systemd-resolved.service
- Previous by thread: Apparmor in containers
- Next by thread: Run fuse in nspawn container?
- Index(es):
 |