Thanks John,
it has been confirmed that
1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns - allow
restricting unprivileged change_profile
is causing the issue. It has a sysctl to disable its behavior, but the sysctl
can't be defaulted to off in the kernel. So to disable the sysctl,
on my machine (specs at the end) running Jammy as the host, and
launching a Jammy container:
1. lxc launch ubuntu:jammy test-jammy-on-jammy
from journal
Oct 06 07:36:47 j5awry-sys76 kernel: audit: type=1400
audit(1696595807.223:51559): apparmor="DENIED" operation="mount" class="mount"
Repeating a bit with a Jammy container (hence new comment)
### PRE CONDITION
this is using the custom Mantic VM _and_ has
apparmor_restrict_unprivileged_unconfined disabled
sudo bash -c "echo 0 >
/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"
1. start a jammy container
lxc launch
Did the following:
1. launched a new VM from the custom build
lxc launch mantic-20231005 --vm --device root,size=20GiB mantic-cust-vm
2. pushed squashfs and lxc metadata from same custom build
lxc file push build.output/livecd.ubuntu-cpc.squashfs mantic-cust-vm/root/
lxc file push
To test if 1ea37b26d720 UBUNTU: SAUCE: apparmor4.0.0 [73/76]: userns -
allow restricting unprivileged change_profile is the cause of the ptrace
denials. You can disable it using
sudo bash -c "echo 0 >
/proc/sys/kernel/apparmor_restrict_unprivileged_unconfined"
--
You received this bug
Oct 05 21:25:27 novel-ram kernel: audit: type=1400
audit(1696541127.240:6185): apparmor="DENIED" operation="ptrace"
class="ptrace" profile="lxd-current-iguana_"
pid=12702 comm="systemctl" requested_mask="read" denied_mask="read"
peer="lxd-current-iguana_//"
indicates 1ea37b26d720 UBUNTU: SAUCE:
livecd-rootfs 23.10.55 for mantic is currently migrating, and has
apparmor changes as well (mounting different features in the build
chroot). To help rule out some issues, I built a a qcow2 image and a
squashfs for mantic using livecd-rootfs 23.10.55
Running the mantic host, and launching a
apparmor side there are 2 immediate suspects.
1. kernel
0191e8433f76 UBUNTU: SAUCE: apparmor4.0.0: apparmor: Fix regression in mount
mediation
2. userspace mount work to fix the mount CVE
https://bugs.launchpad.net/apparmor/+bug/1597017
Current suspects are out of date apparmor features in livecd-rootfs
pending https://launchpad.net/ubuntu/+source/livecd-rootfs/23.10.55
kernel, apparmor, snapd, lxd, snapd again having fits about all of them
because of:
..
Make
** Changed in: linux (Ubuntu)
Milestone: None => ubuntu-23.10
** Changed in: linux (Ubuntu)
Importance: Undecided => Critical
** Also affects: ubuntu-release-notes
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
10 matches
Mail list logo