Hello
I'm trying to make Apparmor work inside debian containers ( on proxmox 6), i mean nested apparmor rules (container rules for services running inside the container).
I've come with a working configuration on a default debian Buster, by adding the following to the LXC container configuration:
#the ubuntu one has the needed /sys mounts
lxc.include: /usr/share/lxc/config/ubuntu.common.conf
lxc.include: /usr/share/lxc/config/nesting.conf
lxc.apparmor.profile: generated
lxc.cap.drop:
lxc.cap.drop: sys_time sys_module sys_rawio
lxc.apparmor.allow_nesting: 1
and it works almost perfectly inside the vps. There are only 2 downsides:
1) Profiles need to be reenforced on container start as it doesn't save them
2) Network rules are ignored and never enforced
With proxmox it's annoying as it will reorder some things inside the LXC configuration, but we can do this trick in the proxmox container configuration:
replace
ostype: debian
with
ostype: ubuntu
This forces the lxc configuration to have ubuntu.common.conf which contains the required /sys mounts
and add:
features: nesting=1
There is the same issue that apparmor profiles need to be reenforced on boot, but there is one huge issue:
Network rules for DGRAM and RAW packets are enforced but CANNOT be whitelisted.
For example adding an apparmor profile for traceroute will trigger
[XXX] audit: type=1400 audit(XXX): apparmor="DENIED" operation="create" namespace="root//lxc-XXXXXX_<-var-lib-lxc>" profile="traceroute" pid=2451 comm="traceroute" family="inet" sock_type="dgram" protocol=17 requested_mask="create" denied_mask="create"
even if we allow dgram/raw packets in the profile
This bug was already present on a default debian stretch, but it is fixed in a default debian buster install by simply ignoring network rules.
I don't know if it's a proxmox kernel bug but right now i'm unable to have a working apparmor inside proxmox containers.
Did anybody succeed?
I'm trying to make Apparmor work inside debian containers ( on proxmox 6), i mean nested apparmor rules (container rules for services running inside the container).
I've come with a working configuration on a default debian Buster, by adding the following to the LXC container configuration:
#the ubuntu one has the needed /sys mounts
lxc.include: /usr/share/lxc/config/ubuntu.common.conf
lxc.include: /usr/share/lxc/config/nesting.conf
lxc.apparmor.profile: generated
lxc.cap.drop:
lxc.cap.drop: sys_time sys_module sys_rawio
lxc.apparmor.allow_nesting: 1
and it works almost perfectly inside the vps. There are only 2 downsides:
1) Profiles need to be reenforced on container start as it doesn't save them
2) Network rules are ignored and never enforced
With proxmox it's annoying as it will reorder some things inside the LXC configuration, but we can do this trick in the proxmox container configuration:
replace
ostype: debian
with
ostype: ubuntu
This forces the lxc configuration to have ubuntu.common.conf which contains the required /sys mounts
and add:
features: nesting=1
There is the same issue that apparmor profiles need to be reenforced on boot, but there is one huge issue:
Network rules for DGRAM and RAW packets are enforced but CANNOT be whitelisted.
For example adding an apparmor profile for traceroute will trigger
[XXX] audit: type=1400 audit(XXX): apparmor="DENIED" operation="create" namespace="root//lxc-XXXXXX_<-var-lib-lxc>" profile="traceroute" pid=2451 comm="traceroute" family="inet" sock_type="dgram" protocol=17 requested_mask="create" denied_mask="create"
even if we allow dgram/raw packets in the profile
This bug was already present on a default debian stretch, but it is fixed in a default debian buster install by simply ignoring network rules.
I don't know if it's a proxmox kernel bug but right now i'm unable to have a working apparmor inside proxmox containers.
Did anybody succeed?
Last edited:
