apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
lxd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
systemd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service
# systemctl status testdynamic.service
● testdynamic.service - /bin/true
Loaded: loaded (/run/systemd/
Transient: yes
Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
Main PID: 470 (code=exited, status=217/USER)
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.
and on the host side, in journal there is:
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(153242737
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation=
Can we somehow make DynamicUser work in lxd containers?
This is an AppArmor bug that I reported and which is tracked here: /bugs.launchpad .net/ubuntu/ +source/ linux/+ bug/1780227
https:/
So please close here in favor of that bug.
Christian