Hello Georgia, no need to apologize, you have done what I wanted to do "as soon as I have 10 minutes" :). Thanks!
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: SRU Justification: [Impact] Ubuntu sauce commit "apparmor: convert easy uses of unconfined() to label_mediates()" was applied to Noble and Oracular respectively as dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") and 621bcec8dae4 ("UBUNTU: SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined() to label_mediates()"). This commit prevents the launching of Docker containers inside a LXC container because apparmor unconfined profile blocks pivot_root. It also blocks containers that uses an old apparmor version (e.g. 2.7) to get an IPV4 address through DHCP. [Fix] Noble: - Backport a revert of commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") Oracular: - Backport a revert of commit 621bcec8dae4 ("UBUNTU: SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined() to label_mediates()") [Test Plan] This fix can be tested in Noble and Oracular by running docker in LXC and checking how they behave, as below: 1/ Install LXD on a 24.04 machine 2/ Run a LXD container with support for security.nesting 3/ In the LXD container install docker.io 4/ Run a Docker container With this patch applied, the docker container will work instead of failing with the following error: ``` docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown. ERRO[0000] error waiting for container: ``` The other issue related to old apparmor versions not supporting ABIs can be tested by running: ``` $ lxc launch ubuntu:12.04 $ lxc list status=running ``` and checking that the IPV4 field is non-null in the newly-started container [Where problems could occur] This revert backport is small and returns to the old tested behavior. Hence, this SRU should not cause problems. [Changes between v2 and v3] - Create separate patches for Noble and Oracular. - Fix patch corruption in v2. [Other Info] External links: - https://github.com/canonical/lxd/issues/13389 - https://discourse.ubuntu.com/t/containers-with-ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore/47371 ---------------------------- Original description: LXD team have got a report (https://github.com/canonical/lxd/issues/13389) from our user that on the Ubuntu Noble host it's not possible to run Docker containers inside a LXC container. After some investigation, it was discovered that problem connected with AppArmor profile which is shipped by default /etc/apparmor.d/runc (comes from https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble- devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 ) This profile is unconfined and should give all permissions to the runc daemon. But it does not work. Manual adding of "pivot_root," line and executing "systemctl reload apparmor.service" makes it work. After some further investigation it was found that on upstream Linux kernel problem is not reproducible. Our team was able to find a problematic commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760 The following (partial) revert helps to solve the issue on Ubuntu kernel: diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 74b7293ab971..b12e6bdfefb2 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred, AA_BUG(!new_path); AA_BUG(!old_path); - if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) + if (profile_unconfined(profile) || !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return aa_get_newest_label(&profile->label); error = aa_path_name(old_path, path_flags(profile, old_path), System info: # uname -a Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" <CUT> To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
