Apparmor problem inside a lxd container

Bug #1666748 reported by Simon Déziel on 2017-02-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well.
When I loaded the same profile in a lxd container (named ganymede), it didn't work at all:

apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_<var-lib-lxd>" profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---"

Additional information about my environment:

Both the host and the guest are up to date Xenials.

root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server
linux-image-4.4.0-63-generic:
  Installed: 4.4.0-63.84
  Candidate: 4.4.0-63.84
  Version table:
 *** 4.4.0-63.84 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
apparmor:
  Installed: 2.10.95-0ubuntu2.5
  Candidate: 2.10.95-0ubuntu2.5
  Version table:
 *** 2.10.95-0ubuntu2.5 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
openssh-server:
  Installed: 1:7.2p2-4ubuntu2.1
  Candidate: 1:7.2p2-4ubuntu2.1
  Version table:
 *** 1:7.2p2-4ubuntu2.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.2p2-4 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

*: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor 2.10.95-0ubuntu2.5
ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44
Uname: Linux 4.4.0-63-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Tue Feb 21 21:25:55 2017
InstallationDate: Installed on 2016-12-19 (64 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never
PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree'
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Simon Déziel (sdeziel) wrote :
Seth Arnold (seth-arnold) wrote :

Hi Simon, could you capture the output of apparmor_parser -p on your sshd profile? There's no 'unix' rules in the portion pasted to github.

Also, does 'peer="---"' ring any bells for you?

Thanks

On 2017-02-21 09:58 PM, Seth Arnold wrote:
> Hi Simon, could you capture the output of apparmor_parser -p on your
> sshd profile?

Here it is: https://paste.ubuntu.com/24044131/

> There's no 'unix' rules in the portion pasted to github.

Indeed, I only added this workaround later on:

  # required within a container/namespace
  unix (send,receive) type=stream addr=none,

I don't like this workaround because I cannot make sense of it and I'm
not even understanding it...

> Also, does 'peer="---"' ring any bells for you?

Nope, sorry.

Thanks Seth,
Simon

John Johansen (jjohansen) wrote :

The peer="---" is likely due to bug 1660832, which has been fixed in the latest set of kernels that should be rolling out this week.

Simon Déziel (sdeziel) wrote :

I'm also seeing those with my smb servers:

apparmor="DENIED" operation="file_perm" namespace="root//lxd-smb_<var-lib-lxd>" profile="/usr/sbin/smbd" pid=15865 comm="smbd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive"
denied_mask="send receive" addr=none peer_addr=none peer="---"

On those I also have this:

apparmor="DENIED" operation="file_inherit" namespace="root//lxd-smb_<var-lib-lxd>" profile="/usr/sbin/smbd" name="/run/systemd/journal/stdout" pid=3755 comm="smbd" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536

I also have no clue about the above.

John, is there any test kernel I could try before something more official hits -proposed?

John Johansen (jjohansen) wrote :

You can try the set of kernel in

http://people.canonical.com/~jj/linux+jj/

Simon Déziel (sdeziel) wrote :

On 2017-02-22 02:19 PM, John Johansen wrote:
> You can try the set of kernel in
>
> http://people.canonical.com/~jj/linux+jj/

I haven't had a chance to try those kernels but 4.4.0-65.86 has just hit
-proposed so I'll give it a try and report back, thanks.

Simon Déziel (sdeziel) wrote :

The problem with the Unix socket is indeed fixed by 4.4.0-65.86.
Thanks John. I have other issues with AA in namespaces which I will report in other LPs.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers