Public bug reported:
I'm writing the AppArmor policy for a python script installed as
executable at `/usr/bin/wsdd`
The script has the following shebang: `#!/usr/bin/env python3`
With the aid of aa-logprof I came up with the following rules for
enabling the execution of this script:
/usr/bin/env ix,
/{,usr/}bin/python3.{1,}[0-9] mrix,
/usr/bin/wsdd r,
It works correctly on my machine. However when running the same program
with the same profile inside an LXD container, executing /usr/bin/wsdd
fails with "Segmentation fault".
Running it in `strace` shows:
execve("/usr/bin/wsdd", ["/usr/bin/wsdd"], 0x7ffc5329f110 /* 12 vars */) = -1
EACCES (Permission denied)
+++ killed by SIGSEGV +++
And the host journal shows:
Jul 19 12:32:00 thinkpad kernel: audit: type=1400
audit(1721385120.086:2685): apparmor="DENIED" operation="file_mmap"
class="file" namespace="root//lxd-noble_<var-snap-lxd-common-lxd>"
profile="/usr/bin/wsdd" name="/usr/bin/env" pid=74694 comm="wsdd"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
The audit indicates that AppArmor is preventing mmap of /usr/bin/env, the
program specified in the shebang.
Indeed changing the rule from `/usr/bin/env ix` to `/usr/bin/env mrix` solves
the issue.
But why is `mrix` only required inside LXD?
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
ProcVersionSignature: Ubuntu 6.8.0-40.40-generic 6.8.12
Uname: Linux 6.8.0-40-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Jul 19 12:17:54 2024
InstallationDate: Installed on 2024-06-16 (33 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-40-generic
root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Affects: wsdd (Ubuntu)
Importance: Medium
Assignee: Alessandro Astone (aleasto)
Status: In Progress
** Tags: amd64 apport-bug noble wayland-session
** Also affects: wsdd (Ubuntu)
Importance: Undecided
Status: New
** Changed in: wsdd (Ubuntu)
Importance: Undecided => Medium
** Changed in: wsdd (Ubuntu)
Status: New => In Progress
** Changed in: wsdd (Ubuntu)
Assignee: (unassigned) => Alessandro Astone (aleasto)
** Description changed:
I'm writing the AppArmor policy for a python script installed as
executable at `/usr/bin/wsdd`
The script has the following shebang: `#!/usr/bin/env python3`
With the aid of aa-logprof I came up with the following rules for
enabling the execution of this script:
- /usr/bin/env ix,
- /{,usr/}bin/python3.{1,}[0-9] mrix,
- /usr/bin/wsdd r,
+ /usr/bin/env ix,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ /usr/bin/wsdd r,
- It works correctly on my machine. However when installing the same
- profile inside an LXD container, running /usr/bin/wsdd fails with
- "Segmentation fault".
+ It works correctly on my machine. However when running the same program
+ with the same profile inside an LXD container, executing /usr/bin/wsdd
+ fails with "Segmentation fault".
Running it in `strace` shows:
- execve("/usr/bin/wsdd", ["/usr/bin/wsdd"], 0x7ffc5329f110 /* 12 vars */) =
-1 EACCES (Permission denied)
- +++ killed by SIGSEGV +++
+ execve("/usr/bin/wsdd", ["/usr/bin/wsdd"], 0x7ffc5329f110 /* 12 vars */) =
-1 EACCES (Permission denied)
+ +++ killed by SIGSEGV +++
And the host journal shows:
- Jul 19 12:32:00 thinkpad kernel: audit: type=1400
+ Jul 19 12:32:00 thinkpad kernel: audit: type=1400
audit(1721385120.086:2685): apparmor="DENIED" operation="file_mmap"
class="file" namespace="root//lxd-noble_<var-snap-lxd-common-lxd>"
profile="/usr/bin/wsdd" name="/usr/bin/env" pid=74694 comm="wsdd"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
The audit indicates that AppArmor is preventing mmap of /usr/bin/env, the
program specified in the shebang.
Indeed changing the rule from `/usr/bin/env ix` to `/usr/bin/env mrix` solves
the issue.
But why is `mrix` only required inside LXD?
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
ProcVersionSignature: Ubuntu 6.8.0-40.40-generic 6.8.12
Uname: Linux 6.8.0-40-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Jul 19 12:17:54 2024
InstallationDate: Installed on 2024-06-16 (33 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-40-generic
root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073589
Title:
Confined executable script needs 'mrix' rule on its shebang only when
running inside LXD
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2073589/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
