← Back to team overview

kernel-packages team mailing list archive

Re: [Bug 1350947] Re: apparmor: no working rule to allow making a mount private

 

Note this is more important than leaking a few mounts - it will also cause
breakage if using both "ip netns" and lxc.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1350947

Title:
  apparmor: no working rule to allow making a mount private

Status in “linux” package in Ubuntu:
  Confirmed
Status in “lxc” package in Ubuntu:
  Triaged

Bug description:
  When the file system is mounted as MS_SHARED by default (such as under
  systemd, or when the admin configures it so), things like schroot or
  LXC need to make their "guest" mounts private. This currently fails
  under utopic:

  $ sudo lxc-create -t busybox -n c1
  $ sudo mount --make-rshared /
  $ sudo strace -fvvs1024 -e mount  lxc-start -n c1
  [...]
  [pid 10749] mount(NULL, "/", NULL, MS_SLAVE, NULL) = -1 EACCES (Permission denied)
  lxc-start: Permission denied - Failed to make / rslave

  dmesg says:
  audit: type=1400 audit(1406825005.687:551): apparmor="DENIED" operation="mo
  unt" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8228 co
  mm="lxc-start" flags="rw, slave"

  (This happens for all mount points on your system, I'm just showing
  the first one)

  This will leave a couple of leaked mounts on your system. This is an
  useful rune to clean them up:

  $ for i in 1 2 3; do sudo umount `mount|grep lxc|awk '{print $3}'`;
  done

  (needs to be done several times; check with "mount |grep lxc" that
  it's clean)

  I tried to allow that by adding this to
  /etc/apparmor.d/abstractions/lxc/start-container:

    mount options=(rw, slave) -> **,

  then reload the policy and rety with

  $ sudo stop lxc; sudo start lxc; sudo lxc-start -n c1

  (and again clean up the mounts with above rune)

  I tried some variations of this, like

    mount options in (rw, slave, rslave, shared, rshared) -> **,

  but none of them worked. The only things that do work are one of

    mount,
    mount -> **,

  but those are too lax to be an effective security restriction.

  WORKAROUND
  ==========
  (Attention: insecure! Don't use for production machines)

  Add this to /etc/apparmor.d/abstractions/lxc/start-container:

     mount,

  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: linux-image-3.16.0-6-generic 3.16.0-6.11
  ProcVersionSignature: Ubuntu 3.16.0-6.11-generic 3.16.0-rc7
  Uname: Linux 3.16.0-6-generic x86_64
  ApportVersion: 2.14.5-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  martin     1665 F.... pulseaudio
  CurrentDesktop: Unity
  Date: Thu Jul 31 18:58:18 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-02-27 (154 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140224)
  MachineType: LENOVO 2324CTO
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.16.0-6-generic.efi.signed root=UUID=a2b27321-0b55-44c9-af0d-6c939efa45ce ro quiet splash init=/lib/systemd/systemd crashkernel=384M-:128M vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-3.16.0-6-generic N/A
   linux-backports-modules-3.16.0-6-generic  N/A
   linux-firmware                            1.132
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 07/09/2013
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G2ET95WW (2.55 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2324CTO
  dmi.board.vendor: LENOVO
  dmi.board.version: 0B98401 Pro
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvrG2ET95WW(2.55):bd07/09/2013:svnLENOVO:pn2324CTO:pvrThinkPadX230:rvnLENOVO:rn2324CTO:rvr0B98401Pro:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 2324CTO
  dmi.product.version: ThinkPad X230
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1350947/+subscriptions


References