(This post is now obsoleted: see here for a better fix.)
So, for those of you who have been following along with this saga from the beginning, I have recently fixed a bug in systemd and hacked the kernel packaging system to allow for the fact that the officially unofficial WSL detection system depends on finding an all-caps “WSL” in the osrelease string.
❯ systemd-detect-virt
wsl
It works! But wait, where’s my AppArmor?
Not starting AppArmor in container
…bugger.
This is actually perfectly sensical in the general case, inasmuch as in most containers you don’t really want to rewrite the AppArmor policies of the host. But it doesn’t make sense when you’re running in WSL, in which the “host” is the management distro for the WSL VM and the “container”, so-called, is the only place in which AppArmor policies are likely to be set up.
Fixing this requires an adjustment to the /lib/apparmor/apparmor.systemd script (under Debian, and presumably any other distros suffering from this issue). Essentially, you have to add lines 76 and 92 from the below listing to exempt WSL, specifically, from the container detection.
#!/bin/sh | |
# ---------------------------------------------------------------------- | |
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. | |
# | |
# This program is free software; you can redistribute it and/or | |
# modify it under the terms of version 2 of the GNU General Public | |
# License published by the Free Software Foundation. | |
# | |
# This program is distributed in the hope that it will be useful, | |
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
# GNU General Public License for more details. | |
# | |
# You should have received a copy of the GNU General Public License | |
# along with this program; if not, contact Novell, Inc. | |
# ---------------------------------------------------------------------- | |
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions | |
aa_action() | |
{ | |
echo "$1" | |
shift | |
"$@" | |
return $? | |
} | |
aa_log_warning_msg() | |
{ | |
echo "Warning: $*" | |
} | |
aa_log_failure_msg() | |
{ | |
echo "Error: $*" | |
} | |
aa_log_action_start() | |
{ | |
echo "$@" | |
} | |
aa_log_action_end() | |
{ | |
printf "" | |
} | |
aa_log_daemon_msg() | |
{ | |
echo "$@" | |
} | |
aa_log_skipped_msg() | |
{ | |
echo "Skipped: $*" | |
} | |
aa_log_end_msg() | |
{ | |
printf "" | |
} | |
# source apparmor function library | |
if [ -f "${APPARMOR_FUNCTIONS}" ]; then | |
# shellcheck source=rc.apparmor.functions | |
. "${APPARMOR_FUNCTIONS}" | |
else | |
aa_log_failure_msg "Unable to find AppArmor initscript functions" | |
exit 1 | |
fi | |
case "$1" in | |
start) | |
if [ -x /usr/bin/systemd-detect-virt ] && \ | |
systemd-detect-virt --quiet --container && \ | |
[ $(systemd-detect-virt --container) != "wsl" ] \ | |
! is_container_with_internal_policy; then | |
aa_log_daemon_msg "Not starting AppArmor in container" | |
aa_log_end_msg 0 | |
exit 0 | |
fi | |
apparmor_start | |
rc=$? | |
;; | |
stop) | |
apparmor_stop | |
rc=$? | |
;; | |
restart|reload|force-reload) | |
if [ -x /usr/bin/systemd-detect-virt ] && \ | |
systemd-detect-virt --quiet --container && \ | |
[ $(systemd-detect-virt --container) != "wsl" ] \ | |
! is_container_with_internal_policy; then | |
aa_log_daemon_msg "Not starting AppArmor in container" | |
aa_log_end_msg 0 | |
exit 0 | |
fi | |
apparmor_restart | |
rc=$? | |
;; | |
try-restart) | |
apparmor_try_restart | |
rc=$? | |
;; | |
kill) | |
apparmor_kill | |
rc=$? | |
;; | |
status) | |
apparmor_status | |
rc=$? | |
;; | |
*) | |
exit 1 | |
;; | |
esac | |
exit "$rc" |
I’ve tried suggesting this patch to the maintainers, but the trouble is that I can’t find the source version of this script (with the problematic container detection) in either the apparmor upstream repo or the Debian apparmor package repo, so that hasn’t exactly worked out.
In the meantime, here’s what you have to manually tweak.