Ubuntu
apparmor package

Apparmor problem inside a lxd container

Bug #1666748 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well.
When I loaded the same profile in a lxd container (named ganymede), it didn't work at all:

apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_<var-lib-lxd>" profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---"

Additional information about my environment:

Both the host and the guest are up to date Xenials.

root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server
linux-image-4.4.0-63-generic:
  Installed: 4.4.0-63.84
  Candidate: 4.4.0-63.84
  Version table:
 *** 4.4.0-63.84 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
apparmor:
  Installed: 2.10.95-0ubuntu2.5
  Candidate: 2.10.95-0ubuntu2.5
  Version table:
 *** 2.10.95-0ubuntu2.5 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
openssh-server:
  Installed: 1:7.2p2-4ubuntu2.1
  Candidate: 1:7.2p2-4ubuntu2.1
  Version table:
 *** 1:7.2p2-4ubuntu2.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.2p2-4 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

*: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44
Uname: Linux 4.4.0-63-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Tue Feb 21 21:25:55 2017
InstallationDate: Installed on 2016-12-19 (64 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never
PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree'
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Simon, could you capture the output of apparmor_parser -p on your sshd profile? There's no 'unix' rules in the portion pasted to github.

Also, does 'peer="---"' ring any bells for you?

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1666748] Re: Apparmor problem inside a lxd container

On 2017-02-21 09:58 PM, Seth Arnold wrote:
> Hi Simon, could you capture the output of apparmor_parser -p on your
> sshd profile?

Here it is: https://paste.ubuntu.com/24044131/

> There's no 'unix' rules in the portion pasted to github.

Indeed, I only added this workaround later on:

  # required within a container/namespace
  unix (send,receive) type=stream addr=none,

I don't like this workaround because I cannot make sense of it and I'm
not even understanding it...

> Also, does 'peer="---"' ring any bells for you?

Nope, sorry.

Thanks Seth,
Simon

Revision history for this message
John Johansen (jjohansen) wrote :

The peer="---" is likely due to bug 1660832, which has been fixed in the latest set of kernels that should be rolling out this week.

Revision history for this message
Simon Déziel (sdeziel) wrote :

I'm also seeing those with my smb servers:

apparmor="DENIED" operation="file_perm" namespace="root//lxd-smb_<var-lib-lxd>" profile="/usr/sbin/smbd" pid=15865 comm="smbd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none peer="---"

On those I also have this:

apparmor="DENIED" operation="file_inherit" namespace="root//lxd-smb_<var-lib-lxd>" profile="/usr/sbin/smbd" name="/run/systemd/journal/stdout" pid=3755 comm="smbd" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536

I also have no clue about the above.

John, is there any test kernel I could try before something more official hits -proposed?

Revision history for this message
John Johansen (jjohansen) wrote :

You can try the set of kernel in

http://people.canonical.com/~jj/linux+jj/

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2017-02-22 02:19 PM, John Johansen wrote:
> You can try the set of kernel in
>
> http://people.canonical.com/~jj/linux+jj/

I haven't had a chance to try those kernels but 4.4.0-65.86 has just hit
-proposed so I'll give it a try and report back, thanks.

Revision history for this message
Simon Déziel (sdeziel) wrote :

The problem with the Unix socket is indeed fixed by 4.4.0-65.86.
Thanks John. I have other issues with AA in namespaces which I will report in other LPs.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.