Re: LSM stacking in next for 6.1?

On 9/7/22 09:41, Casey Schaufler wrote: > On 9/7/2022 7:41 AM, Paul Moore wrote: >> On Tue, Sep 6, 2022 at 8:10 PM John Johansen >> <john.johansen(a)canonical.com&gt; wrote: >>> On 9/6/22 16:24, Paul Moore wrote: >>>> On Fri, Sep 2, 2022 at 7:14 PM Casey Schaufler <casey(a)schaufler-ca.com&gt; wrote: >>>>> On 9/2/2022 2:30 PM, Paul Moore wrote: >>>>>> On Tue, Aug 2, 2022 at 8:56 PM Paul Moore <paul(a)paul-moore.com&gt; wrote: >>>>>>> On Tue, Aug 2, 2022 at 8:01 PM Casey Schaufler <casey(a)schaufler-ca.com&gt; wrote: >> .. >> >>>> If you are running AppArmor on the host system and SELinux in a >>>> container you are likely going to have some *very* bizarre behavior as >>>> the SELinux policy you load in the container will apply to the entire >>>> system, including processes which started *before* the SELinux policy >>>> was loaded. While I understand the point you are trying to make, I >>>> don't believe the example you chose is going to work without a lot of >>>> other changes. >>> correct but the reverse does work ... >> Sure, that doesn't surprise me, but that isn't the example Casey brought up. > > I said that I'm not sure how they go about doing Android on Ubuntu. > I brought it up because I've seen it. LSM stacking for that use case is necessary but insufficient.

At a minimum SELinux would need bounding, and realistically some other gymnastics. I don't hold out hope of it happening soon if ever. I have told the anbox people such.

At the momement anbox disables SELinux when run in a container https://github.com/anbox/platform_system_core/commit/71907fc5e7833866be6a... there has been work on using a VM instead so that they can have SELinux but I am not current on how/when that is used.