diff --git a/how-to-setup-a-policy-namespace-for-containers.md b/how-to-setup-a-policy-namespace-for-containers.md index 5c5735b..9ea33f9 100644 --- a/how-to-setup-a-policy-namespace-for-containers.md +++ b/how-to-setup-a-policy-namespace-for-containers.md @@ -251,48 +251,48 @@ reap apparmor policy namespaces so when your container dies. ???? todo -# ??Errors +# Failures and Issues -apparmor enabled +* Can't create policy ns + - apparmor not enabled + - policy interface not mounted/available + - No authority to manage policy + +* Policy fails to load + - apparmor not enabled + - policy interface not mounted/available + - No authority to manage policy + +* Can't transition to policy namespace + - check that the policy namespace was successfully created + - check for apparmor denials + - exec + - nnp + - ensure you are using a 4.17+ kernel + - safe exec + - mmap failures + - failure open executable + - denials leading exec to immediately exit + - task being killed + - change_profile failures + +* Can't set the display LSM + - checkout that ```/proc/self/attr/display``` exists + - if not you need a kernel with the display LSM patches + - check that the specified LSM exists + - check that you have permission to write ```/proc/self/attr/display``` + - check that you are not writing another task's ```/proc/self/attr/display``` + - check that if you are using a thread it is writing its own ```/proc//attr/display```. Only the lead thread can write to ```/proc/self/attr/display``` + + + +AppArmor Enabled - apparmor built into the kernel - config param set - kernel security param set -can't create policy ns -- apparmor not enabled -- policy interface not mounted/available -- No authority to manage policy - -policy fails to load -- apparmor not enabled -- policy interface not mounted/available -- No authority to manage policy - -can't transition to policy namespace -- check that the policy namespace was successfully created -- check for apparmor denials - - exec - - nnp - - ensure you are using a 4.17+ kernel - - safe exec - - mmap failures - - failure open executable - - denials leading exec to immediately exit - - task being killed - - change_profile failures - -can't set the display ns -- checkout that ```/proc/self/attr/display``` exists - - if not you need a kernel with the display LSM patches -- check that the specified LSM exists -- check that you have permission to write ```/proc/self/attr/display``` -- check that you are not writing another task's ```/proc/self/attr/display``` -- check that if you are using a thread it is writing its own ```/proc//attr/display```. One the lead thread can write to ```/proc/self/attr/display``` - - policy interface mounted - no-new-privs (nnp) Tasks can the nnp flag through a prctl which prevents the task and its children from gaining new privileges. The nnp flag can prevent apparmor policy confining the task to transition to a new profile.