Forest <fores...@sonic.net> wrote on 03/04/2023 at 23:18:10+0200:
> Package: lxc
> Version: 1:5.0.2-1
> Severity: normal
> X-Debbugs-Cc: fores...@sonic.net
>
> Dear Maintainer,
>
> After upgrading an unprivileged container from bullseye to bookworm, LXC's
> AppArmor profiles are no longer sufficient for the guest's systemd-logind.
>
> This manifests as a 25 second hang when running certain commands (notably
> sudo -i and su -) in the container. It also produces a lot of errors in the
> host & guest logs.
>
> Before the upgrade to bookworm, the hangs did not occur, and systemd-logind
> started without trouble.
>
>
> -- Host journal:
>
> Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened
> for user root(uid=0) by (uid=0)
> Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ]
> && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start
> >/dev/null; fi)
> Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed
> for user root
> Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED"
> operation="mount" info="failed flags match" error=-13
> profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)"
> flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed
> Apr 02 18:30:16 debtesting kernel: audit: type=1400
> audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed
> flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365
> comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED"
> operation="mount" info="failed flags match" error=-13
> profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)"
> flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400
> audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed
> flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369
> comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED"
> operation="mount" info="failed flags match" error=-13
> profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)"
> flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400
> audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed
> flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373
> comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED"
> operation="mount" info="failed flags match" error=-13
> profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)"
> flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400
> audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed
> flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377
> comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED"
> operation="mount" info="failed flags match" error=-13
> profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)"
> flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400
> audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed
> flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381
> comm="(d-logind)" flags="rw, rslave"
>
>
> -- Guest journal:
>
> Apr 02 18:30:16 lxbox sudo[136]: root : TTY=pts/7 ; PWD=/root ; USER=root
> ; COMMAND=/bin/bash
> Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set
> limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0
> Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for
> user root(uid=0) by (uid=0)
> Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd:
> service name='org.freedesktop.login1'
> unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136
> comm="sudo -i")
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[137]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User
> Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set
> up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step
> NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process
> exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart
> job, restart counter is at 1.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login
> Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[141]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User
> Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed to set
> up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed at step
> NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process
> exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart
> job, restart counter is at 2.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login
> Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[145]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User
> Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed to set
> up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed at step
> NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process
> exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart
> job, restart counter is at 3.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login
> Management.
> Apr 02 18:30:16 lxbox (modprobe)[149]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User
> Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed to set
> up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed at step
> NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process
> exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart
> job, restart counter is at 4.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login
> Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[153]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User
> Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed to set
> up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed at step
> NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process
> exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart
> job, restart counter is at 5.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login
> Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe@drm.service - Load Kernel
> Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[157]: modprobe@drm.service: Executable
> /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe@drm.service: Deactivated
> successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe@drm.service - Load Kernel
> Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Start request
> repeated too quickly.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result
> 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service -
> User Login Management.
> Apr 02 18:30:41 lxbox dbus-daemon[97]: [system] Failed to activate service
> 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
> Apr 02 18:30:41 lxbox sudo[136]: pam_systemd(sudo-i:session): Failed to
> create session: Failed to activate service 'org.freedesktop.login1': timed
> out (service_start_timeout=25000ms)
>
>
> -- Guest busctl monitor output:
>
> Type=method_call Endian=l Flags=0 Version=1 Cookie=1 Timestamp="Mon
> 2023-04-03 01:30:16.386617 UTC"
> Sender=:1.2 Destination=org.freedesktop.DBus Path=/org/freedesktop/DBus
> Interface=org.freedesktop.DBus Member=Hello
> UniqueName=:1.2
> MESSAGE "" {
> };
>
> Type=method_return Endian=l Flags=1 Version=1 Cookie=1 ReplyCookie=1
> Timestamp="Mon 2023-04-03 01:30:16.386790 UTC"
> Sender=org.freedesktop.DBus Destination=:1.2
> MESSAGE "s" {
> STRING ":1.2";
> };
>
> Type=signal Endian=l Flags=1 Version=1 Cookie=5 Timestamp="Mon 2023-04-03
> 01:30:16.386806 UTC"
> Sender=org.freedesktop.DBus Path=/org/freedesktop/DBus
> Interface=org.freedesktop.DBus Member=NameOwnerChanged
> MESSAGE "sss" {
> STRING ":1.2";
> STRING "";
> STRING ":1.2";
> };
>
> Type=signal Endian=l Flags=1 Version=1 Cookie=2 Timestamp="Mon 2023-04-03
> 01:30:16.386820 UTC"
> Sender=org.freedesktop.DBus Destination=:1.2 Path=/org/freedesktop/DBus
> Interface=org.freedesktop.DBus Member=NameAcquired
> MESSAGE "s" {
> STRING ":1.2";
> };
>
> Type=signal Endian=l Flags=1 Version=1 Cookie=12 Timestamp="Mon
> 2023-04-03 01:30:16.392000 UTC"
> Sender=org.freedesktop.DBus Destination=org.freedesktop.systemd1
> Path=/org/freedesktop/DBus Interface=org.freedesktop.systemd1.Activator
> Member=ActivationRequest
> MESSAGE "s" {
> STRING "dbus-org.freedesktop.login1.service";
> };
>
> Type=method_call Endian=l Flags=0 Version=1 Cookie=2 Timestamp="Mon
> 2023-04-03 01:30:16.392080 UTC"
> Sender=:1.2 Destination=org.freedesktop.login1
> Path=/org/freedesktop/login1 Interface=org.freedesktop.login1.Manager
> Member=CreateSession
> UniqueName=:1.2
> MESSAGE "uusssssussbssa(sv)" {
> UINT32 0;
> UINT32 0;
> STRING "sudo-i";
> STRING "x11";
> STRING "user";
> STRING "KDE";
> STRING "seat0";
> UINT32 7;
> STRING "pts/7";
> STRING "";
> BOOLEAN false;
> STRING "root";
> STRING "";
> ARRAY "(sv)" {
> };
> };
>
> Type=error Endian=l Flags=1 Version=1 Cookie=3 ReplyCookie=2
> Timestamp="Mon 2023-04-03 01:30:41.416860 UTC"
> Sender=org.freedesktop.DBus Destination=:1.2
> ErrorName=org.freedesktop.DBus.Error.TimedOut ErrorMessage="Failed to
> activate service 'org.freedesktop.login1': timed out
> (service_start_timeout=25000ms)"
> MESSAGE "s" {
> STRING "Failed to activate service 'org.freedesktop.login1': timed
> out (service_start_timeout=25000ms)";
> };
>
> Type=signal Endian=l Flags=1 Version=1 Cookie=6 Timestamp="Mon 2023-04-03
> 01:30:41.417026 UTC"
> Sender=org.freedesktop.DBus Destination=:1.2 Path=/org/freedesktop/DBus
> Interface=org.freedesktop.DBus Member=NameLost
> MESSAGE "s" {
> STRING ":1.2";
> };
>
> Type=signal Endian=l Flags=1 Version=1 Cookie=7 Timestamp="Mon 2023-04-03
> 01:30:41.417043 UTC"
> Sender=org.freedesktop.DBus Path=/org/freedesktop/DBus
> Interface=org.freedesktop.DBus Member=NameOwnerChanged
> MESSAGE "sss" {
> STRING ":1.2";
> STRING ":1.2";
> STRING "";
> };
What's weird is that the problem was already happening in buster and
bullseye.
I guess it is plausible that /etc/lxc/default.conf has been updated in
your upgrade, resetting the lxc-apparmor-profile to something that won't
work for unprivileged containers.
The issue is "normal": the apparmor profile needed to allow
systemd-logind to work properly would allow a user in a privileged
container to escalate and become root on the host. As one can't be
certain what profile will be used, the solution lies either within LXD
(which generates custom profiles for each containers), or with creating
a dedicated apparmor profile that you use only on unprivileged
containers.
The missing lines in apparmor rules have been added in
lxc-default-with-nesting rules of apparmor for lxc 5.
See the patch below: v
From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= <p...@debian.org>
Date: Mon, 1 Aug 2022 22:35:10 +0200
Subject: [nesting] Extend mount permissions in apparmor to allow systemd
services' restrictions to work
These options allow systemd security features to work. In particular
cases, it helps with systemd-logind and program like this
It's only added in nesting profile as it could pose security risks on
privileged containers.
mount options=(rw,rbind) -> /run/systemd/unit-root/,
mount options=(rw,rbind) -> /run/systemd/unit-root/**,
mount options=(rw,rshared) -> /,
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
---
config/apparmor/profiles/lxc-default-with-nesting | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/config/apparmor/profiles/lxc-default-with-nesting
b/config/apparmor/profiles/lxc-default-with-nesting
index cd198be..01562a9 100644
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -10,6 +10,10 @@ profile lxc-container-default-with-nesting
flags=(attach_disconnected,mediate_de
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
+ mount options=(rw,rbind) -> /run/systemd/unit-root/,
+ mount options=(rw,rbind) -> /run/systemd/unit-root/**,
+ mount options=(rw,rshared) -> /,
+ mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
}
--
PEB
signature.asc
Description: PGP signature
