odd denial when using recent docker + runc with apparmor (memfd)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I see this denial when building a new version of the docker snap (v18.09.03) that contains new code for mitigation of CVE-2019-5736.
To reproduce this you can build a version of the docker snap using my branch here: https:/
Build the snap using snapcraft then remove any other instances of the docker snap (and also of the docker deb as they conflict with each other) and then connect all the interfaces:
snap connect docker:support
snap connect docker:home
snap connect docker:privileged
snap connect docker:
snap connect docker:docker-cli docker:
Finally, start the dockerd daemon:
snap start --enable docker.dockerd
Now trying to run any docker container will fail:
$ docker run -it ubuntu bash
docker: Error response from daemon: OCI runtime create failed: container_
And you will see this odd denial in the logs:
Mar 15 14:38:19 audit[7876]: AVC apparmor="DENIED" operation="exec" profile=
the denial goes away if you add
/ ix,
to the apparmor policy however.
summary: |
- odd denial when using recent docker + runc with apparmor (sealed memfd) + odd denial when using recent docker + runc with apparmor (memfd) |
Note, we added a workaround rule to snapd and it is not blocked at this time.