This bug was fixed in the package wsdd - 2:0.8-2ubuntu3
---------------
wsdd (2:0.8-2ubuntu3) oracular; urgency=medium
* Set XDG_RUNTIME_DIR in autopkgtest
-- Alessandro Astone <alessandro.ast...@canonical.com> Tue, 23 Jul
2024 09:21:36 +0200
** Changed in: wsdd (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2073589
Title:
Confined executable script needs 'mrix' rule on its shebang only when
running inside LXD
Status in apparmor package in Ubuntu:
New
Status in wsdd package in Ubuntu:
Fix Released
Bug description:
I'm writing the AppArmor policy for a python script installed as
executable at `/usr/bin/wsdd`
The script has the following shebang: `#!/usr/bin/env python3`
With the aid of aa-logprof I came up with the following rules for
enabling the execution of this script:
/usr/bin/env ix,
/{,usr/}bin/python3.{1,}[0-9] mrix,
/usr/bin/wsdd r,
It works correctly on my machine. However when running the same
program with the same profile inside an LXD container, executing
/usr/bin/wsdd fails with "Segmentation fault".
Running it in `strace` shows:
execve("/usr/bin/wsdd", ["/usr/bin/wsdd"], 0x7ffc5329f110 /* 12 vars */) =
-1 EACCES (Permission denied)
+++ killed by SIGSEGV +++
And the host journal shows:
Jul 19 12:32:00 thinkpad kernel: audit: type=1400
audit(1721385120.086:2685): apparmor="DENIED" operation="file_mmap"
class="file" namespace="root//lxd-noble_<var-snap-lxd-common-lxd>"
profile="/usr/bin/wsdd" name="/usr/bin/env" pid=74694 comm="wsdd"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
The audit indicates that AppArmor is preventing mmap of /usr/bin/env, the
program specified in the shebang.
Indeed changing the rule from `/usr/bin/env ix` to `/usr/bin/env mrix` solves
the issue.
But why is `mrix` only required inside LXD?
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
ProcVersionSignature: Ubuntu 6.8.0-40.40-generic 6.8.12
Uname: Linux 6.8.0-40-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Jul 19 12:17:54 2024
InstallationDate: Installed on 2024-06-16 (33 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-40-generic
root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2073589/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
