Ubuntu LXC DNS/networking blocked by AppArmor

A

AxxelH

Member
Nov 21, 2020
16
0
21
52
I have a Ubuntu 24.04 LXC built using the latest template. The intention is to have this run Steam and other gaming binaries, not all of which come from the Ubuntu repos (some downloaded deb files, like Heroic Launcher). These are running over VNC (if this is relevant let me know and I can provide details).

I've been trying to work out why certain binaries (Steam, Herioc Launcher) can't access the network when running in the container, and have realized the problem is apparmor. I can see apparmor refuse the connections in the Proxmox host's kernel log.

What's confusing about this is that the apparmor profiles for these apps in the container is quite permissive:

Code: 
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/steam>
}
And I presume must work a default Ubuntu kernel and apparmor. Removing the apparmor config from the LXC's /etc/apparmor.d fixes things, so its not a result of the profile in the host's apparmor from what I can see.

Adding:
Code: 
network inet stream,
network inet dgram,

To /etc/apparmor.d/local/steam in the LXC fixes things as well, though I suppose other operations may be blocked and I haven't noticed yet.

Where should I be looking for the apparmor rule that blocks network for these apps?
 
You must log in or register to reply here.
Top Bottom