security.nesting: "true" security.privileged: "true"
But maybe looking for /proc/sys/fs/binfmt_misc may be the trap, because it is not just a matter of beeing mounted and rw, there's also some trouble with apparmor. E.g. on the machine # ls -lF /proc/sys/fs total 0 -rw-r--r-- 1 root root 0 Sep 10 18:36 aio-max-nr -r--r--r-- 1 root root 0 Sep 10 18:36 aio-nr drwxr-xr-x 2 root root 0 Sep 10 18:29 binfmt_misc/ -r--r--r-- 1 root root 0 Sep 10 18:36 dentry-state -rw-r--r-- 1 root root 0 Sep 10 18:36 dir-notify-enable dr-xr-xr-x 1 root root 0 Sep 10 18:36 epoll/ dr-xr-xr-x 1 root root 0 Sep 10 18:36 fanotify/ -rw-r--r-- 1 root root 0 Sep 10 18:30 file-max -r--r--r-- 1 root root 0 Sep 10 18:36 file-nr -r--r--r-- 1 root root 0 Sep 10 18:36 inode-nr -r--r--r-- 1 root root 0 Sep 10 18:36 inode-state dr-xr-xr-x 1 root root 0 Sep 10 18:36 inotify/ -rw-r--r-- 1 root root 0 Sep 10 18:36 lease-break-time -rw-r--r-- 1 root root 0 Sep 10 18:36 leases-enable -rw-r--r-- 1 root root 0 Sep 10 18:36 mount-max dr-xr-xr-x 1 root root 0 Sep 10 18:36 mqueue/ -rw-r--r-- 1 root root 0 Sep 10 18:30 nr_open -rw-r--r-- 1 root root 0 Sep 10 18:36 overflowgid -rw-r--r-- 1 root root 0 Sep 10 18:36 overflowuid -rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-max-size -rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-user-pages-hard -rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-user-pages-soft -rw-r--r-- 1 root root 0 Sep 10 18:30 protected_fifos -rw-r--r-- 1 root root 0 Sep 10 18:30 protected_hardlinks -rw-r--r-- 1 root root 0 Sep 10 18:30 protected_regular -rw-r--r-- 1 root root 0 Sep 10 18:30 protected_symlinks dr-xr-xr-x 1 root root 0 Sep 10 18:36 quota/ -rw-r--r-- 1 root root 0 Sep 10 18:36 suid_dumpable dr-xr-xr-x 1 root root 0 Sep 10 18:36 verity/ shows binfmt_misc as readable, and I am root. But: # ls -lF /proc/sys/fs/binfmt_misc ls: cannot open directory '/proc/sys/fs/binfmt_misc': Permission denied -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2078597 Title: Failed to flush binfmt_misc rules, ignoring: Permission denied Status in systemd package in Ubuntu: Incomplete Bug description: After upgrading an LXD guest machine from 22.04 to 24.04.1, system isn't healthy, systemctl complains that systemd-binfmt.service fails: Aug 31 19:23:51 install systemd-binfmt[1147]: Failed to flush binfmt_misc rules, ignoring: Permission denied Aug 31 19:23:51 install systemd-binfmt[1147]: /usr/lib/binfmt.d/python3.12.conf:1: Failed to delete rule 'python3.12', ignoring: Permission denied Aug 31 19:23:51 install systemd-binfmt[1147]: /usr/lib/binfmt.d/python3.12.conf:1: Failed to add binary format 'python3.12': Permission denied Aug 31 19:23:51 install systemd[1]: systemd-binfmt.service: Main process exited, code=exited, status=1/FAILURE Aug 31 19:23:51 install systemd[1]: systemd-binfmt.service: Failed with result 'exit-code'. Aug 31 19:23:51 install systemd[1]: Failed to start systemd-binfmt.service - Set Up Additional Binary Formats. Reason: # strace -s 80 /usr/lib/systemd/systemd-binfmt |& fgrep EACCES openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/status", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/python3.12", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied) There is (like with other programs) a problem with latest LXD/24.04/apparmor settings. podman/docker also don't run without workarounds in apparmor. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: systemd 255.4-1ubuntu8.4 ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12 Uname: Linux 6.8.0-41-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: unknown CloudBuildName: server CloudSerial: 20221101.1 Date: Sun Sep 1 02:10:13 2024 Lsusb: Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 1c4f:0063 SiGma Micro Touchpad (integrated in detachable keyboard of Chuwi SurBook) Bus 001 Device 003: ID 13d3:3458 IMC Networks Bluetooth Radio Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M. ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-41-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro SourcePackage: systemd SystemdFailedUnits: Error: command ['systemctl', 'status', '--full', '●'] failed with exit code 4: Invalid unit name "●" escaped as "\xe2\x97\x8f" (maybe you should use systemd-escape?). Unit \xe2\x97\x8f.service could not be found. ------ Error: command ['systemctl', 'status', '--full', '●'] failed with exit code 4: Invalid unit name "●" escaped as "\xe2\x97\x8f" (maybe you should use systemd-escape?). Unit \xe2\x97\x8f.service could not be found. UpgradeStatus: Upgraded to noble on 2024-08-31 (0 days ago) dmi.bios.date: 04/10/2017 dmi.bios.release: 5.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: P1.70 dmi.board.name: J3160-NUC dmi.board.vendor: ASRock dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP1.70:bd04/10/2017:br5.6:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnJ3160-NUC:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:skuToBeFilledByO.E.M.: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: To Be Filled By O.E.M. dmi.product.sku: To Be Filled By O.E.M. dmi.product.version: To Be Filled By O.E.M. dmi.sys.vendor: To Be Filled By O.E.M. modified.conffile..etc.init.d.apport: [modified] mtime.conffile..etc.init.d.apport: 2024-07-22T17:59:07 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2078597/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
