Cannot run "sudo chroot ." in Terminal

Bug #1534807 reported by dobey
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Medium
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned

Bug Description

The Terminal app is being denied to exec the shell inside a chroot when attempting to run sudo chroot .:

Jan 15 15:09:22 ubuntu-phablet kernel: [66337.301777] type=1400 audit(1452888562.238:76): apparmor="DENIED" operation="exec" profile="com.ubuntu.terminal_terminal_0.7.140" name="/home/phablet/vivid-chroot/bin/bash" pid=30547 comm="chroot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

It would be nice to fix this so that sudo chroot . will work, so that people can use a chroot to install additional console apps and tools, rather than using writable images, following the instructions on AskUbuntu at http://bit.ly/1RLv3g9

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Confirmed
Revision history for this message
Myrmidon83 (myrmidon83) wrote :

Utilising the command from the guide linked above, 'sudo chroot .' from inside the chroot directory gives the following error:

chroot: failed to run comand '/bin/bash': Permission denied

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The reason why this doesn't work is because this rule carves out /home:
/[^h][^o][^m][^e]** pix,

We needed to do that for autopilot fakeenv-style tests. I think this style of test has been abandoned due to other issues though; if that is true, I can simplify the exec transition rules and remove these autopilot rules. Nicholas, can you comment?

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Nicholas Skaggs (nskaggs)
status: Confirmed → Incomplete
Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

Jamie, I thought we had dropped all the fakeenv rules for autopilot? Indeed we did switch to the notion of having dedicated devices that we manually curate into known states before testing.

So all rules that support faking envs or mocking for autopilot can be removed.

dobey (dobey)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
dobey (dobey) wrote :

Adding system-image to the bug, so it can get tagged for the OTA.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in apparmor-easyprof-ubuntu in wily 15.10.3. This only needs an update for OTA. IMO this change is fine for OTA because relatively few applications use the unconfined template.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: Nicholas Skaggs (nskaggs) → nobody
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is queued for 1.3.16. I need a member of the Touch release team to comment if this should be in OTA 10.

Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

sounds ok

Changed in canonical-devices-system-image:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → ww08-2016
status: New → Confirmed
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in canonical-devices-system-image:
status: In Progress → Fix Committed
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers