Quasselcore apparmor profile issue in lxd container.

Bug #1814302 reported by Yancy Burns on 2019-02-01
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned
apparmor (Ubuntu)
Status tracked in Groovy
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned
quassel (Ubuntu)
Status tracked in Groovy
Bionic
Medium
Dan Streetman
Focal
Medium
Dan Streetman
Groovy
Medium
Dan Streetman

Bug Description

[impact]

quasselcore cannot start inside lxd container

[test case]

create lxd container, install quassel-core, check quasselcore service:

$ systemctl status quasselcore
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: failed (Result: signal) since Tue 2020-06-30 18:32:40 UTC; 4s ago
       Docs: man:quasselcore(1)
    Process: 3853 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
   Main PID: 3853 (code=killed, signal=SEGV)

Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 7.
Jun 30 18:32:40 lp1814302-f systemd[1]: Stopped distributed IRC client using a central core component.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Start request repeated too quickly.
Jun 30 18:32:40 lp1814302-f systemd[1]: quasselcore.service: Failed with result 'signal'.
Jun 30 18:32:40 lp1814302-f systemd[1]: Failed to start distributed IRC client using a central core component.

Also, the binary will segfault when run directly due to apparmor denials:

$ /usr/bin/quasselcore
Segmentation fault

[760149.590802] audit: type=1400 audit(1593542073.962:1058): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-lp1814302-f_<var-snap-lxd-common-lxd>" profile="/usr/bin/quasselcore" name="/usr/bin/quasselcore" pid=2006430 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000

[regression potential]

this expands the apparmor profile, so any regression would likely involve problems while starting due to apparmor.

[scope]

this is needed for b/f/g.

this is also needed for e, but that is EOL in weeks and this is not important enough to bother there.

[original description]

Fresh install of Ubuntu 18.04. lxd installed from snap. Fresh 18.04 container. Everything up todate via apt.

Install quassel-core. Service will not start.

Set "aa-complain /usr/bin/quasselcore" allows quasselcore to start.

I then added "/usr/bin/quasselcore rm," to "/etc/apparmor.d/usr.bin.quasselcore".

Set "aa-enforce /usr/bin/quasselcore". Restarted main host.

Quasselcore service now starts and I can connect to it.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in quassel (Ubuntu):
status: New → Confirmed
Robert Pendell (shinji257) wrote :

The above workaround isn't enough to totally resolve the issues with AppArmor and this application inside LXD. I also had to switch to aa-complain for PostgreSQL migration so features will have to be thoroughly tested to identify it. I'm willing to setup a secondary instance to do any testing that is necessary but I don't know anything about AppArmor to fix the profile.

Added note: It seems that migration may be broken in Quassel-Core in general but I'm reporting that on their tracker as it seems to be a bug on their end but setting up for PostgreSQL seemed to work in complain mode. It is untested in enforce mode.

Dan Streetman (ddstreet) on 2020-06-30
Changed in apparmor (Ubuntu Bionic):
status: New → Invalid
Changed in apparmor (Ubuntu Focal):
status: New → Invalid
Changed in apparmor (Ubuntu Groovy):
status: Confirmed → Invalid
Changed in apparmor:
status: New → Invalid
Changed in quassel (Ubuntu Focal):
status: New → In Progress
Changed in quassel (Ubuntu Bionic):
importance: Undecided → Medium
Changed in quassel (Ubuntu Groovy):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Focal):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
Changed in quassel (Ubuntu Groovy):
importance: Undecided → Medium
Changed in quassel (Ubuntu Focal):
importance: Undecided → Medium
Changed in quassel (Ubuntu Bionic):
status: New → In Progress
Changed in quassel (Ubuntu Groovy):
status: Confirmed → In Progress
Dan Streetman (ddstreet) on 2020-06-30
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.13.1-3ubuntu3

---------------
quassel (1:0.13.1-3ubuntu3) groovy; urgency=medium

  * d/p/lp1885436/0001-common-Disable-enum-type-stream-operators-for-Qt-5.1.patch,
    d/p/lp1885436/0002-common-Always-let-QVariant-fromValue-deduce-the-type.patch,
    d/p/lp1885436/0003-qa-Replace-deprecated-qVariantFromValue-by-QVariant-.patch,
    d/p/lp1885436/0004-qa-Avoid-deprecation-warnings-for-QList-QSet-convers.patch,
    d/p/lp1885436/0005-qa-Replace-deprecated-QString-sprintf-by-QString-asp.patch:
    - Fix FTBFS due to QT 5.14 changes (LP: #1885436)
  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 10:54:49 -0400

Changed in quassel (Ubuntu Groovy):
status: In Progress → Fix Released

Hello Yancy, or anyone else affected,

Accepted quassel into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/quassel/1:0.13.1-3ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in quassel (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in quassel (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Yancy, or anyone else affected,

Accepted quassel into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/quassel/1:0.12.4-3ubuntu1.18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Dan Streetman (ddstreet) wrote :

focal:

ubuntu@lp1814302-f:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-f:~$ dpkg -l|grep quassel-core
ii quassel-core 1:0.13.1-3ubuntu2 amd64 distributed IRC client - core component
ubuntu@lp1814302-f:~$ /usr/bin/quasselcore
Segmentation fault
ubuntu@lp1814302-f:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: signal) since Wed 2020-07-08 17:24:12 UTC; 168ms ago
       Docs: man:quasselcore(1)
    Process: 4867 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
   Main PID: 4867 (code=killed, signal=SEGV)

Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 5.
Jul 08 17:24:13 lp1814302-f systemd[1]: Stopped distributed IRC client using a central core component.
Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Start request repeated too quickly.
Jul 08 17:24:13 lp1814302-f systemd[1]: quasselcore.service: Failed with result 'signal'.
Jul 08 17:24:13 lp1814302-f systemd[1]: Failed to start distributed IRC client using a central core component.

ubuntu@lp1814302-f:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-f:~$ dpkg -l |grep quassel
ii quassel-core 1:0.13.1-3ubuntu2.1 amd64 distributed IRC client - core component
ubuntu@lp1814302-f:~$ /usr/bin/quasselcore
2020-07-08 17:26:00 [Error] Unable to create Quassel config directory:
...etc...
ubuntu@lp1814302-f:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
     Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-07-08 17:25:22 UTC; 43s ago
       Docs: man:quasselcore(1)
   Main PID: 5832 (quasselcore)
      Tasks: 1 (limit: 115273)
     Memory: 1.6M
     CGroup: /system.slice/quasselcore.service
             └─5832 /usr/bin/quasselcore --configdir=/var/lib/quassel --logfile=/var/log/quassel/core.log --loglevel=Info --port=4242 --listen=::,0.0.0.0

Jul 08 17:25:22 lp1814302-f systemd[1]: Started distributed IRC client using a central core component.

tags: added: verification-done-focal
removed: verification-needed-focal
Dan Streetman (ddstreet) wrote :

bionic:

ubuntu@lp1814302-b:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-b:~$ dpkg -l|grep quassel
ii quassel-core 1:0.12.4-3ubuntu1.18.04.1 amd64 distributed IRC client - core component
ubuntu@lp1814302-b:~$ /usr/bin/quasselcore
Segmentation fault
ubuntu@lp1814302-b:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
   Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Wed 2020-07-08 17:27:46 UTC; 1min 53s ago
     Docs: man:quasselcore(1)
  Process: 2381 ExecStart=/usr/bin/quasselcore --configdir=${DATADIR} --logfile=${LOGFILE} --loglevel=${LOGLEVEL} --port=${PORT} --listen=${LISTEN} (code=killed, signal=SEGV)
 Main PID: 2381 (code=killed, signal=SEGV)

Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Service hold-off time over, scheduling restart.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Scheduled restart job, restart counter is at 6.
Jul 08 17:27:46 lp1814302-b systemd[1]: Stopped distributed IRC client using a central core component.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Start request repeated too quickly.
Jul 08 17:27:46 lp1814302-b systemd[1]: quasselcore.service: Failed with result 'signal'.
Jul 08 17:27:46 lp1814302-b systemd[1]: Failed to start distributed IRC client using a central core component.

ubuntu@lp1814302-b:~$ systemd-detect-virt
lxc
ubuntu@lp1814302-b:~$ dpkg -l|grep quassel
ii quassel-core 1:0.12.4-3ubuntu1.18.04.2 amd64 distributed IRC client - core component
ubuntu@lp1814302-b:~$ /usr/bin/quasselcore
Unable to create Quassel config directory: /home/ubuntu/.config/quassel-irc.org
...etc...
ubuntu@lp1814302-b:~$ systemctl status quasselcore.service
● quasselcore.service - distributed IRC client using a central core component
   Loaded: loaded (/lib/systemd/system/quasselcore.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-07-08 17:31:50 UTC; 18s ago
     Docs: man:quasselcore(1)
 Main PID: 2881 (quasselcore)
    Tasks: 1 (limit: 115273)
   CGroup: /system.slice/quasselcore.service
           └─2881 /usr/bin/quasselcore --configdir=/var/lib/quassel --logfile=/var/log/quassel/core.log --loglevel=Info --port=4242 --listen=::,0.0.0.0

Jul 08 17:31:50 lp1814302-b systemd[1]: Started distributed IRC client using a central core component.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic

The verification of the Stable Release Update for quassel has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.13.1-3ubuntu2.1

---------------
quassel (1:0.13.1-3ubuntu2.1) focal; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 11:01:19 -0400

Changed in quassel (Ubuntu Focal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.12.4-3ubuntu1.18.04.2

---------------
quassel (1:0.12.4-3ubuntu1.18.04.2) bionic; urgency=medium

  * d/usr.bin.quasselcore:
    - Update apparmor profile to allow running in lxd (LP: #1814302)

 -- Dan Streetman <email address hidden> Sun, 28 Jun 2020 11:01:19 -0400

Changed in quassel (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers