lxd

  1. Bug #2046486
  2. Comment #1

Comment 1 for bug 2046486

Revision history for this message
Nick Rosbrook (enr0n) wrote : Re: units with SetCredential= fail in LXD containers

This is the apparmor denial:

audit: type=1400 audit(1704299091.131:665): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-noble_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=71828 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind"

which corresponds to:

Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND ""): Permission denied

from the journal output above. Taking a look at the AppArmor profile create by LXD, it seems that the problematic flag isMS_NOSYMFOLLOW; there is a rule in /var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-noble on my machine that allows the flags (ro,remount,bind,nosuid,noexec,nodev) for /dev/shm and others.

I think it probably makes the most sense to allow this flag combination in the AppArmor profile create by LXD.