Ubuntu
apparmor package

Confined executable script needs 'mrix' rule on its shebang only when running inside LXD

Bug #2073589 reported by Alessandro Astone on 2024-07-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	New	Undecided	Unassigned
	wsdd (Ubuntu)	Fix Released	Medium	Alessandro Astone

Bug Description

I'm writing the AppArmor policy for a python script installed as executable at `/usr/bin/wsdd`

The script has the following shebang: `#!/usr/bin/env python3`

With the aid of aa-logprof I came up with the following rules for enabling the execution of this script:

  /usr/bin/env ix,
  /{,usr/}bin/python3.{1,}[0-9] mrix,
  /usr/bin/wsdd r,

It works correctly on my machine. However when running the same program with the same profile inside an LXD container, executing /usr/bin/wsdd fails with "Segmentation fault".

Running it in `strace` shows:

execve("/usr/bin/wsdd", ["/usr/bin/wsdd"], 0x7ffc5329f110 /* 12 vars */) = -1 EACCES (Permission denied)
+++ killed by SIGSEGV +++

And the host journal shows:

Jul 19 12:32:00 thinkpad kernel: audit: type=1400 audit(1721385120.086:2685): apparmor="DENIED" operation="file_mmap" class="file" namespace="root//lxd-noble_<var-snap-lxd-common-lxd>" profile="/usr/bin/wsdd" name="/usr/bin/env" pid=74694 comm="wsdd" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000

The audit indicates that AppArmor is preventing mmap of /usr/bin/env, the program specified in the shebang.
Indeed changing the rule from `/usr/bin/env ix` to `/usr/bin/env mrix` solves the issue.
But why is `mrix` only required inside LXD?

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.1really4.0.0-beta3-0ubuntu0.1
ProcVersionSignature: Ubuntu 6.8.0-40.40-generic 6.8.12
Uname: Linux 6.8.0-40-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Jul 19 12:17:54 2024
InstallationDate: Installed on 2024-06-16 (33 days ago)
InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.8.0-40-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Tags:

Revision history for this message

Alessandro Astone (aleasto) wrote on 2024-07-19:

ApparmorPackages.txt Edit (408 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (21.0 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (1.4 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (1.9 MiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.6 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (313 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (188.4 KiB, text/plain; charset="utf-8")
Syslog.txt Edit (147.8 KiB, text/plain; charset="utf-8")

Changed in wsdd (Ubuntu):
assignee:	nobody → Alessandro Astone (aleasto)
importance:	Undecided → Medium
status:	New → In Progress
description:	updated

Alessandro Astone (aleasto) on 2024-07-19

Changed in wsdd (Ubuntu):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-08-01:

This bug was fixed in the package wsdd - 2:0.8-2ubuntu3

---------------
wsdd (2:0.8-2ubuntu3) oracular; urgency=medium

* Set XDG_RUNTIME_DIR in autopkgtest

-- Alessandro Astone <email address hidden> Tue, 23 Jul 2024 09:21:36 +0200

Changed in wsdd (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package