[Touch-packages] [Bug 1811248] Re: systemd--networkd mounts denied for lxc guest

Thu, 10 Jan 2019 18:46:21 -0800 

profile="lxc-container-default-cgns"

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}

__

> flags are being used by the mount(2) system call that's failed

Pardon my ignorance as not being sure what you are asking here. I
thought it was obvious from the log

pid=8426 comm="(networkd)" flags="rw, rslave"

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1811248

Title:
  systemd--networkd mounts denied for lxc guest

Status in apparmor package in Ubuntu:
  New

Bug description:
  Host unbuntu cosmic | lxc 3.0.3 | aa 2.12 | systemd 239-7
  Guest Arch Linux | systemd 240.0

  After having upgraded in the guest systemd from 239.370 to 240.0 the
  host's AA is exhibiting

  > audit: type=1400 audit(1547125168.853:722): apparmor="DENIED"
  operation="mount" info="failed flags match" error=-13 profile="lxc-
  container-default-cgns" name="/" pid=8426 comm="(networkd)" flags="rw,
  rslave"

  and the guest

  > systemd-networkd.service: Failed to set up mount namespacing: Permission 
denied
  > systemd-networkd.service: Failed at step NAMESPACE spawning 
/usr/lib/systemd/systemd-networkd: Permission denied

  According to lxc bug tracker https://github.com/lxc/lxc/issues/2778

  > While we'd like to allow such mounts we cannot do so until the
  apparmor_parser is fixed to handle them correctly.

  other cross references

  https://github.com/systemd/systemd/issues/11371
  https://bugs.archlinux.org/task/61313

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to