Hi again Fabian & release team, Fabian Grünbichler: > On Wed, Dec 06, 2017 at 03:28:03PM +0100, intrigeri wrote: >> > it potentially breaks systems using a custom/backports/newer kernel >> > and AA profiles requiring features not supported by the pinned 4.9 >> > feature set. >> >> In this case, "breaks" == the AppArmor confinement becomes weaker, >> but the application keeps working.
> not the case for all scenarios unfortunately. LXC containers using the > upstream profiles (and a kernel supporting the needed features) don't > start anymore: > apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 > profile="/usr/bin/lxc-start" name="/" pid=21550 comm="lxc-start" flags="rw, > rslave" Wow, Assuming you're indeed running with the 4.9 feature set I've uploaded, that's definitely a bug: the 4.9 feature set is supposed to fully disable mount mediation, so a mount denial should never happen. At first glance this very much looks like a bug in the custom kernel you're using. If you can reproduce this with a pristine 4.13 or 4.14 Debian kernel, then I'm very sorry and I agree we should revert this s-p-u until this kernel bug is fixed in mainline; I'll gladly help you report this bug upstream. If, however, you can't reproduce this bug with a Debian kernel, well, then it's a bug in the kernel patches you've applied and I think we should leave s-p-u as-is. Possibly helpful: can you please share the content of /etc/apparmor.d/cache/.features on the system that exposes this problem? Cheers, -- intrigeri
