Ubuntu
apparmor package

apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container

Bug #1783305 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned
lxd (Ubuntu)
Invalid
Undecided
Unassigned
systemd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service

# systemctl status testdynamic.service
● testdynamic.service - /bin/true
   Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
Transient: yes
   Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
  Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
 Main PID: 470 (code=exited, status=217/USER)

Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as 470
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead -> running
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job testdynamic.service/start finished, result=done
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit change signal for testdynamic.service: Connection reset by peer
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs to testdynamic.service.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process exited, code=exited, status=217/USER
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result 'exit-code'.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running -> failed
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed state.

and on the host side, in journal there is:

Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none

Can we somehow make DynamicUser work in lxd containers?

Revision history for this message
Christian Brauner (cbrauner) wrote :

This is an AppArmor bug that I reported and which is tracked here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227

So please close here in favor of that bug.

Christian

Changed in lxd (Ubuntu):
status: New → Invalid
Changed in systemd (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.