Public bug reported:
Hi,
It seems there are issues with the move_mount syscall on ARM64 questing
kernels when running an armhf userspace, I'm getting some "failed flags
match" errors that didn't use to be there.
Repro steps:
ubuntu@schopin-glibc:~$ cat test.c
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <unistd.h>
#include <fcntl.h>
#include <assert.h>
#include <sched.h>
int main() {
int r;
// Make private mount ns
assert(!unshare(CLONE_NEWNS));
assert(!mount("none", "/", NULL, MS_REC | MS_PRIVATE, NULL));
int fd = fsopen ("tmpfs", FSOPEN_CLOEXEC);
assert(fd != -1);
assert(fsconfig(fd, FSCONFIG_SET_STRING, "size", "2048", 0) != -1);
assert(fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) != -1);
int mfd = fsmount (fd, FSMOUNT_CLOEXEC, MOUNT_ATTR_NODEV);
assert(mfd != -1);
r = move_mount (mfd, "", AT_FDCWD, "/tmp", MOVE_MOUNT_F_EMPTY_PATH);
assert(r != -1 && "this is where this should not fail");
return 0;
}
ubuntu@schopin-glibc:~$ lxc launch ubuntu-daily:noble/armhf noble-armhf
Launching noble-armhf
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get update > /dev/null
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get install -y gcc libc-dev
> /dev/null
ubuntu@schopin-glibc:~$ lxc file push test.c noble-armhf/root/
ubuntu@schopin-glibc:~$ lxc exec noble-armhf gcc test.c
ubuntu@schopin-glibc:~$ lxc exec noble-armhf ./a.out
a.out: test.c:23: main: Assertion `r != -1 && "this is where this should not
fail"' failed.
ubuntu@schopin-glibc:~$ sudo dmesg | tail -n 5
[63411.354990] audit: type=1400 audit(1754562335.413:2498): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/cpuinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.354993] audit: type=1400 audit(1754562335.413:2499): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/slabinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.562761] audit: type=1400 audit(1754562335.622:2500): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
label="lxd-noble-armhf_</var/snap/lxd/common/lxd>//&:lxd-noble-armhf_<var-snap-lxd-common-lxd>:unconfined"
name="rsyslogd" pid=2876255 comm="apparmor_parser"
[63499.281362] kauditd_printk_skb: 39 callbacks suppressed
[63499.281416] audit: type=1400 audit(1754562423.342:2540): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>" name="/tmp/" pid=2898548
comm="a.out" flags="rw, move"
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Hi,
- It seems there are issues with the move_mount syscall on ARM64 kernels
- when running an armhf userspace, I'm getting some "failed flags match"
- errors that didn't use to be there.
+ It seems there are issues with the move_mount syscall on ARM64 questing
+ kernels when running an armhf userspace, I'm getting some "failed flags
+ match" errors that didn't use to be there.
Repro steps:
ubuntu@schopin-glibc:~$ cat test.c
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <unistd.h>
#include <fcntl.h>
#include <assert.h>
#include <sched.h>
int main() {
- int r;
- // Make private mount ns
- assert(!unshare(CLONE_NEWNS));
- assert(!mount("none", "/", NULL, MS_REC | MS_PRIVATE, NULL));
+ int r;
+ // Make private mount ns
+ assert(!unshare(CLONE_NEWNS));
+ assert(!mount("none", "/", NULL, MS_REC | MS_PRIVATE, NULL));
- int fd = fsopen ("tmpfs", FSOPEN_CLOEXEC);
- assert(fd != -1);
- assert(fsconfig(fd, FSCONFIG_SET_STRING, "size", "2048", 0) != -1);
- assert(fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) != -1);
+ int fd = fsopen ("tmpfs", FSOPEN_CLOEXEC);
+ assert(fd != -1);
+ assert(fsconfig(fd, FSCONFIG_SET_STRING, "size", "2048", 0) != -1);
+ assert(fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) != -1);
- int mfd = fsmount (fd, FSMOUNT_CLOEXEC, MOUNT_ATTR_NODEV);
- assert(mfd != -1);
- r = move_mount (mfd, "", AT_FDCWD, "/tmp", MOVE_MOUNT_F_EMPTY_PATH);
- assert(r != -1 && "this is where this should not fail");
+ int mfd = fsmount (fd, FSMOUNT_CLOEXEC, MOUNT_ATTR_NODEV);
+ assert(mfd != -1);
+ r = move_mount (mfd, "", AT_FDCWD, "/tmp", MOVE_MOUNT_F_EMPTY_PATH);
+ assert(r != -1 && "this is where this should not fail");
- return 0;
+ return 0;
}
ubuntu@schopin-glibc:~$ lxc launch ubuntu-daily:noble/armhf noble-armhf
Launching noble-armhf
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get update > /dev/null
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get install -y gcc
libc-dev > /dev/null
ubuntu@schopin-glibc:~$ lxc file push test.c noble-armhf/root/
ubuntu@schopin-glibc:~$ lxc exec noble-armhf gcc test.c
ubuntu@schopin-glibc:~$ lxc exec noble-armhf ./a.out
a.out: test.c:23: main: Assertion `r != -1 && "this is where this should not
fail"' failed.
ubuntu@schopin-glibc:~$ sudo dmesg | tail -n 5
[63411.354990] audit: type=1400 audit(1754562335.413:2498): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/cpuinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.354993] audit: type=1400 audit(1754562335.413:2499): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/slabinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.562761] audit: type=1400 audit(1754562335.622:2500): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
label="lxd-noble-armhf_</var/snap/lxd/common/lxd>//&:lxd-noble-armhf_<var-snap-lxd-common-lxd>:unconfined"
name="rsyslogd" pid=2876255 comm="apparmor_parser"
[63499.281362] kauditd_printk_skb: 39 callbacks suppressed
[63499.281416] audit: type=1400 audit(1754562423.342:2540): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>" name="/tmp/" pid=2898548
comm="a.out" flags="rw, move"
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2119734
Title:
armhf: bad flag handling on move_mount syscall
Status in apparmor package in Ubuntu:
New
Bug description:
Hi,
It seems there are issues with the move_mount syscall on ARM64
questing kernels when running an armhf userspace, I'm getting some
"failed flags match" errors that didn't use to be there.
Repro steps:
ubuntu@schopin-glibc:~$ cat test.c
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <unistd.h>
#include <fcntl.h>
#include <assert.h>
#include <sched.h>
int main() {
int r;
// Make private mount ns
assert(!unshare(CLONE_NEWNS));
assert(!mount("none", "/", NULL, MS_REC | MS_PRIVATE, NULL));
int fd = fsopen ("tmpfs", FSOPEN_CLOEXEC);
assert(fd != -1);
assert(fsconfig(fd, FSCONFIG_SET_STRING, "size", "2048", 0) != -1);
assert(fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) != -1);
int mfd = fsmount (fd, FSMOUNT_CLOEXEC, MOUNT_ATTR_NODEV);
assert(mfd != -1);
r = move_mount (mfd, "", AT_FDCWD, "/tmp", MOVE_MOUNT_F_EMPTY_PATH);
assert(r != -1 && "this is where this should not fail");
return 0;
}
ubuntu@schopin-glibc:~$ lxc launch ubuntu-daily:noble/armhf noble-armhf
Launching noble-armhf
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get update > /dev/null
ubuntu@schopin-glibc:~$ lxc exec noble-armhf -- apt-get install -y gcc
libc-dev > /dev/null
ubuntu@schopin-glibc:~$ lxc file push test.c noble-armhf/root/
ubuntu@schopin-glibc:~$ lxc exec noble-armhf gcc test.c
ubuntu@schopin-glibc:~$ lxc exec noble-armhf ./a.out
a.out: test.c:23: main: Assertion `r != -1 && "this is where this should not
fail"' failed.
ubuntu@schopin-glibc:~$ sudo dmesg | tail -n 5
[63411.354990] audit: type=1400 audit(1754562335.413:2498): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/cpuinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.354993] audit: type=1400 audit(1754562335.413:2499): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>"
name="/run/systemd/mount-rootfs/proc/slabinfo" pid=2876232 comm="(d-logind)"
flags="rw, nosuid, nodev, noexec, remount, bind"
[63411.562761] audit: type=1400 audit(1754562335.622:2500): apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
label="lxd-noble-armhf_</var/snap/lxd/common/lxd>//&:lxd-noble-armhf_<var-snap-lxd-common-lxd>:unconfined"
name="rsyslogd" pid=2876255 comm="apparmor_parser"
[63499.281362] kauditd_printk_skb: 39 callbacks suppressed
[63499.281416] audit: type=1400 audit(1754562423.342:2540): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble-armhf_</var/snap/lxd/common/lxd>" name="/tmp/" pid=2898548
comm="a.out" flags="rw, move"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2119734/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
