← Back to team overview

kernel-packages team mailing list archive

[Bug 1357588] [NEW] 3.13.0-24 broke nested unprivileged LXC

 

Public bug reported:

The recent security update kernel broke nested unprivileged LXC containers as those attempt to do the following:
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)

The user visible error looks like:
lxc-start: Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
lxc-start 1408142401.327 DEBUG    lxc_conf - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1408142401.327 ERROR    lxc_conf - Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'

Followed by a complete failure to start the container.
access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
L) = -1 EPERM (Operation not permitted)

As far as I can tell, LXC isn't doing anything particularly wrong there
and this should succeed. Serge suggested we attempt to pass MS_NODEV to
the remount call but that didn't help either.

There are good chances the following upstream patch fixes this:
http://lkml.org/lkml/2014/8/13/746

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete


** Tags: bot-stop-nagging regression-update

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1357588

Title:
  3.13.0-24 broke nested unprivileged LXC

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  The recent security update kernel broke nested unprivileged LXC containers as those attempt to do the following:
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)

  The user visible error looks like:
  lxc-start: Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'
  lxc-start 1408142401.327 DEBUG    lxc_conf - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
  lxc-start 1408142401.327 ERROR    lxc_conf - Operation not permitted - failed to mount '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console'

  Followed by a complete failure to start the container.
  access("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULaccess("/usr/lib/x86_64-linux-gnu/lxc/dev/console", F_OK) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_BIND, NULL) = 0
  mount("/dev/console", "/usr/lib/x86_64-linux-gnu/lxc/dev/console", 0x7fff406cd9e9, MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
  L) = -1 EPERM (Operation not permitted)

  As far as I can tell, LXC isn't doing anything particularly wrong
  there and this should succeed. Serge suggested we attempt to pass
  MS_NODEV to the remount call but that didn't help either.

  There are good chances the following upstream patch fixes this:
  http://lkml.org/lkml/2014/8/13/746

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1357588/+subscriptions


Follow ups

References