[Touch-packages] [Bug 2039294] Re: apparmor docker

[adam furtenbach]

Hi,

Just did a fresh minimal install of ubuntu-23.10.1-desktop-amd64.iso

apt install -y docker.io
<add user to group>
<restart>
docker run -d --name=nginx nginx
docker kill -s sigint nginx

Error response from daemon: Cannot kill container: nginx: Cannot kill container 
3590b8a55fa29e5df34b1ad7444100652ba9912d42e877c475b181909ee9a698: unknown error 
after kill: runc did not terminate successfully: exit status 1: unable to 
signal init: permission denied
: unknown

dmesg:
[33054.783037] audit: type=1400 audit(1697228308.520:1037): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=189468 
comm="runc" requested_mask="receive" denied_mask="receive" signal=usr1 
peer="/usr/sbin/runc"


can't find a docker-default profile in /etc/apparmor.d/
usr.sbin.runc has 0644

# cat usr.sbin.runc 
abi <abi/4.0>,
include <tunables/global>

/usr/sbin/runc flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.sbin.runc>
}

Hope it helps

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294

Title:
  apparmor docker

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 23.10
  Release:        23.10
  Codename:       mantic

  
  Docker version 24.0.5, build 24.0.5-0ubuntu1

  
  Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all 
signals?) doesn't reach the target process. Works when apparmor is uninstalled.

  
  [17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172626 
comm="runc" requested_mask="receive" denied_mask="receive" signal=term 
peer="/usr/sbin/runc"
  [17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED" 
operation="signal" class="signal" profile="docker-default" pid=172633 
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill 
peer="/usr/sbin/runc"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2039294/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp