touch-packages team mailing list archive

Thread
Date

[Bug 1424154] Re: apparmor sysfs remount rejection on lxc-start

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Sat, 21 Feb 2015 10:08:42 -0000
Reply-to: Bug 1424154 <1424154@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So the only difference that I can see is that  so *without* the added
remount rule, /proc/mounts contains the following entries for
sysfs+/sys/ within the container:

  sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
  sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0

with the added rule, /proc/mounts contains:

  sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
  sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0

(note the 'rw' for the second line of the latter.)

I'm guessing the first entry is the mount entry from the container host
and the second one is the actual container mount?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1424154

Title:
  apparmor sysfs remount rejection on lxc-start

Status in lxc package in Ubuntu:
  New

Bug description:
  When starting up an ubuntu lxc container in vivid, I'm seeing the
  following apparmor rejection:

  Feb 21 01:30:41 vivid-i386 kernel: [ 2121.606513] audit: type=1400
  audit(1424511041.643:125): apparmor="DENIED" operation="mount"
  info="failed flags match" error=-13 profile="lxc-container-default"
  name="/sys/" pid=20698 comm="mount" flags="rw, nosuid, nodev, noexec,
  remount"

  The container still started up,and I couldn't see anything problematic
  within it related to sysfs.

  Adding the following remount apparmor rule to
  /etc/apparmor.d/abstractions/lxc/container-base allows the remount
  operatoin to succeed:

    remount options=(rw, nosuid, nodev, noexec) /sys/,

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: lxc 1.1.0-0ubuntu1 [modified: usr/lib/i386-linux-gnu/lxc/lxc-net]
  ProcVersionSignature: Ubuntu 3.18.0-13.14-generic 3.18.5
  Uname: Linux 3.18.0-13-generic i686
  ApportVersion: 2.16.1-0ubuntu2
  Architecture: i386
  Date: Sat Feb 21 01:43:55 2015
  InstallationDate: Installed on 2014-12-12 (70 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha i386 (20141212)
  ProcEnviron:
   TERM=screen
   SHELL=/bin/bash
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   XDG_RUNTIME_DIR=<set>
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  modified.conffile..etc.apparmor.d.abstractions.lxc.container.base: [modified]
  modified.conffile..etc.default.lxc: [modified]
  mtime.conffile..etc.apparmor.d.abstractions.lxc.container.base: 2015-02-21T01:34:23.031703
  mtime.conffile..etc.default.lxc: 2015-02-20T18:15:56.552501

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1424154/+subscriptions

References

[Bug 1424154] [NEW] apparmor sysfs remount rejection on lxc-start
From: Steve Beattie, 2015-02-21