We have another problem which disappears when I revert
dc757a645cfa82f6ac252365df20a36a9ff82760 ("UBUNTU: SAUCE: apparmor4.0.0
[81/90]: apparmor: convert easy uses of unconfined() to
label_mediates()") commit.

Now it is not connected with unconfined profiles at all, it involves Ubuntu 
Noble (host) + LXD (any version) + Ubuntu 12.04 container. And that container 
fails to get an IPv4 address using dhcp client with the following error:
dhclient3 eth0
RTNETLINK answers: Operation not permitted
RTNETLINK answers: Operation not permitted

On the host side we can see a following AppArmor denial:
Sep 05 12:01:09  kernel: audit: type=1400 audit(1725534069.603:228): 
apparmor="DENIED" operation="capable" class="cap" 
namespace="root//lxd-c1_<var-lib-lxd>" profile="/sbin/dhclient" pid=28122 
comm="ip" capability=12  capname="net_admin"

Precisely the same user space works well with upstream kernels 6.8.12
and 6.11.0-rc7. But fails on 6.8.12-based Ubuntu Noble's kernel.
Reverting of dc757a645cfa82f6ac252365df20a36a9ff82760 makes things to
work again.

Reproducer is as simple as lxc launch ubuntu:12.04 myct and check if
myct gets an IPv4 address (it won't).

External link: https://discourse.ubuntu.com/t/containers-with-
ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067900

Title:
  apparmor unconfined profile blocks pivot_root

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to