Ubuntu
guix package

Conflict between apparmor and guix on Ubuntu 24.04

Bug #2064115 reported by W. J. van der Laan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
guix (Ubuntu)
New
Undecided
Unassigned

Bug Description

On Ubuntu 24.04 i'm unable to use GNU guix as installed from the apt repository.

Version:
Package: guix
Architecture: amd64
Version: 1.4.0-6build1

To reproduce:
- Install a fresh 23.10 host
- Upgrade to 24.04 with do-release-upgrade -d (but i’ve heard reports that this also happens with clean 24.04 install), reboot
- `apt-install guix`
- Create an unprivileged user with adduser
- `guix environment -C` as the user gives:
```
$ guix environment -C
guix environment: warning: no packages specified; creating an empty environment
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
0.4 MB will be downloaded
 glibc-utf8-locales-2.33 382KiB 1.5MiB/s 00:00 [##################] 100.0%
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
The following derivation will be built:
  /gnu/store/19qqzzam5250zsxakc4ym0a28b4sd8nv-profile.drv

22.1 MB will be downloaded
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
 bash-5.1.8-doc 301KiB 1.8MiB/s 00:00 [##################] 100.0% bash-static-5.1.8 646KiB 6.4MiB/s 00:00 [##################] 100.0% module-import-compiled 102KiB 3.5MiB/s 00:00 [##################] 100.0% glibc-2.33 13.1MiB 16.8MiB/s 00:01 [##################] 100.0% bash-minimal-5.1.8 624KiB 26.4MiB/s 00:00 [##################] 100.0% gcc-10.3.0-lib 9.0MiB 13.8MiB/s 00:01 [##################] 100.0% libffi-3.3 67KiB 12.2MiB/s 00:00 [##################] 100.0% libgc-8.0.4 262KiB 12.7MiB/s 00:00 [##################] 100.0% libunistring-0.9.10 781KiB 15.1MiB/s 00:00 [##################] 100.0% ncurses-6.2.20210619 1.1MiB 2.9MiB/s 00:00 [##################] 100.0% pkg-config-0.29.2 454KiB 21.4MiB/s 00:00 [#################] 100.0% readline-8.1.1 552KiB 21.6MiB/s 00:00 [##################] 100.0% guile-3.0.7 10.7MiB 13.0MiB/s 00:01 [##################] 100.0% bash-5.1.8 2.2MiB 16.1MiB/s 00:00 [##################] 100.0%

building profile with 0 packages...
 bash-5.1.8-include 80KiB 3.3MiB/s 00:00 [##################] 100.0%
guix environment: error: mount: mount "none" on "/tmp/guix-directory.V6IzTc": Permission denied
```

dmesg shows:
```
[ 264.017001] audit: type=1400 audit(1714394120.696:128): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=2579 comm="guix" requested="userns_create" target="unprivileged_userns"
[ 264.023016] audit: type=1400 audit(1714394120.702:129): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="unprivileged_userns" name="/tmp/guix-directory.V6IzTc/" pid=2611 comm="guix" fstype="tmpfs" srcname="none"
```
It appears that the unprivileged user namespace doesn't allow a bind-mount that guix requires.

Revision history for this message
W. J. van der Laan (laanwj) wrote :

Uninstalling `apparmor` and rebooting is the only thing i have found that makes it work.

Selectively disabling the specific rulset with:

# aa-disable unprivileged_userns

Gives a new error:

$ guix environment -C
guix environment: warning: no packages specified; creating an empty environment
guix environment: error: clone: 2114060305: Permission denied

Same for temporarily turning off apparmor entirely.

Revision history for this message
W. J. van der Laan (laanwj) wrote :

Looks like this is a case of https://bugs.launchpad.net/apparmor/+bug/2046844

What does work as a workaround is to create a specifc apparmor profile for guix, that is really unconfined and allows user namespaces:

Create a file /etc/apparmor.d/guix:

----------------------------------------------------
abi <abi/4.0>,
include <tunables/global>

profile guix /usr/bin/guix flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/guix>
}
----------------------------------------------------

Then do:

/etc/init.d/apparmor reload
aa-enforce guix

Revision history for this message
Sjors (sjors-sprovoost) wrote :

First time I tried this workaround the "aa-enforce guix" command threw an error about an unrelated file somewhere in /etc/init.d/apparmor (forgot to write down which, just remember that it used "runbindable").

I uninstalled and purged apparmor, just to try if the Guix build would work. It did.

I then reinstalled apparmor (and apparmor-utils), and rebooted, to check if I still got the original permission error. I did.

Then I applied your workaround again, except I set the path to /home/guix/.config/guix/current/bin/guix

This time I got a cryptic error:

$ sudo aa-enforce guix
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 33, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 134, in cmd_enforce
    for (program, prof_filename, output_name) in self.get_next_for_modechange():
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 97, in get_next_for_modechange
    aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'str' object is not callable

An unexpected error occurred!

Maybe it's a Python issue? My default Python via PyEnv is 3.11.7

I also tried the symlink destination /gnu/store/7xnx56qdzvzm3hkg01y4k4c5x5pk8qpv-guix-command

Revision history for this message
Sjors (sjors-sprovoost) wrote :

Using the Ubuntu 24.04 default Python version of 3.12.3 instead, did not help. I attached the longer error log.

Revision history for this message
Sjors (sjors-sprovoost) wrote :

Oddly enough despite the above error guix builds work fine.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.