touch-packages team mailing list archive

Thread
Date

[Bug 1424154] Re: apparmor sysfs remount rejection on lxc-start

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Serge Hallyn <1424154@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Feb 2015 04:36:53 -0000
Reply-to: Bug 1424154 <1424154@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for posting this bug.  That rule is actually something we
specifically do not want :)

The mount (remount) being denied is by the container itself.  Lxc ahead
of time had mounted /sys read-only, with /sys/class/net (which is
properly namespaced) being read-write.  This is indicated in
/usr/share/lxc/config/common.conf by the 'lxc.mount.auto = sys:mixed" .
Mixed is the mixture of readonly and read-write.

By adding the apparmor rule, we would be allowing the container to
bypass the readonly restrictions lxc has placed on it.

(If you were to actually need to write to /sys from the container, you
could add 'lxc.mount.auto = sys:rw" at the end of your container's
configuration file.  The default container apparomr profile would still
try to protected against writes to many of the unsafe paths (as seen in
/etc/apparmor.d/abstractions/lxc/container-base)

Perhaps we should have a deny rule to specifically silence this denial.

** Changed in: lxc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1424154

Title:
  apparmor sysfs remount rejection on lxc-start

Status in lxc package in Ubuntu:
  Invalid

Bug description:
  When starting up an ubuntu lxc container in vivid, I'm seeing the
  following apparmor rejection:

  Feb 21 01:30:41 vivid-i386 kernel: [ 2121.606513] audit: type=1400
  audit(1424511041.643:125): apparmor="DENIED" operation="mount"
  info="failed flags match" error=-13 profile="lxc-container-default"
  name="/sys/" pid=20698 comm="mount" flags="rw, nosuid, nodev, noexec,
  remount"

  The container still started up,and I couldn't see anything problematic
  within it related to sysfs.

  Adding the following remount apparmor rule to
  /etc/apparmor.d/abstractions/lxc/container-base allows the remount
  operatoin to succeed:

    remount options=(rw, nosuid, nodev, noexec) /sys/,

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: lxc 1.1.0-0ubuntu1 [modified: usr/lib/i386-linux-gnu/lxc/lxc-net]
  ProcVersionSignature: Ubuntu 3.18.0-13.14-generic 3.18.5
  Uname: Linux 3.18.0-13-generic i686
  ApportVersion: 2.16.1-0ubuntu2
  Architecture: i386
  Date: Sat Feb 21 01:43:55 2015
  InstallationDate: Installed on 2014-12-12 (70 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Alpha i386 (20141212)
  ProcEnviron:
   TERM=screen
   SHELL=/bin/bash
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   XDG_RUNTIME_DIR=<set>
  SourcePackage: lxc
  UpgradeStatus: No upgrade log present (probably fresh install)
  defaults.conf:
   lxc.network.type = veth
   lxc.network.link = lxcbr0
   lxc.network.flags = up
   lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  modified.conffile..etc.apparmor.d.abstractions.lxc.container.base: [modified]
  modified.conffile..etc.default.lxc: [modified]
  mtime.conffile..etc.apparmor.d.abstractions.lxc.container.base: 2015-02-21T01:34:23.031703
  mtime.conffile..etc.default.lxc: 2015-02-20T18:15:56.552501

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1424154/+subscriptions

References

[Bug 1424154] [NEW] apparmor sysfs remount rejection on lxc-start
From: Steve Beattie, 2015-02-21