[Bug 1783305] [NEW] apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container

Tue, 24 Jul 2018 03:25:56 -0700 

Public bug reported:

$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service


# systemctl status testdynamic.service
● testdynamic.service - /bin/true
   Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
Transient: yes
   Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
  Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
 Main PID: 470 (code=exited, status=217/USER)

Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as 
470
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead -> 
running
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job 
testdynamic.service/start finished, result=done
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit 
change signal for testdynamic.service: Connection reset by peer
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs 
to testdynamic.service.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process 
exited, code=exited, status=217/USER
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result 
'exit-code'.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running -> 
failed
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed 
state.


and on the host side, in journal there is:

Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941): 
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" 
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" 
sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" 
profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" 
sock_type="dgram" protocol=0 addr=none


Can we somehow make DynamicUser work in lxd containers?

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: lxd (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: systemd (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783305

Title:
  apparmor DENIED when a systemd unit with DynamicUsers=yes is launched
  in a lxd container

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to