This is the result of a disconnected path with how the container is being setup. This isn't something that should be added to the apparmor abstractions. Ultimately this is a kernel issue and the limitations it puts on apparmor for tracking files with disconnected paths. There isn't anything that the apparmor package or abstractions can do to help with this so marking this as Won't Fix for lack of a better status.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1764715 Title: /dev/pts/0 access detected as /0 Status in apparmor package in Ubuntu: New Bug description: Hi, while debugging bug 1764373 I found this (distracting me at first). But I realized those are two different issues. So I'm filing the apparmor issue here. Testcase: 0. get two LXD containers with Bionic 1. create KVM guest with uvtool When the guest is spawning it tries to open /dev/pts/0 (and similar) for its console. Here an strace: 0.000034 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 <0.000017> 0.000052 openat(AT_FDCWD, "/dev/pts/0", O_RDWR|O_NOCTTY) = 11 <0.000019> 0.000330 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 <0.000105> 0.000139 ioctl(11, TCGETS, {B38400 opost isig icanon echo ...}) = 0 <0.000010> 0.000034 ioctl(11, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig -icanon -echo ...}) = 0 <0.000013> 0.000037 ioctl(11, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 <0.000010> 0.000034 ioctl(10, TCGETS, {B38400 -opost -isig -icanon -echo ...}) = 0 <0.000011> 0.000033 ioctl(10, TIOCGPTN, [0]) = 0 <0.000010> 0.000033 stat("/dev/pts/0", {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 <0.000016> 0.000045 close(11) = 0 <0.000013> The only Permission denied thou (at all) is on /dev/pts/0 with this call: 0.000055 ioctl(10, TIOCGPTPEER, 0x102) = -1 EACCES (Permission denied) <0.000025> But this is blocked by Apparmor according to dmesg: audit: type=1400 audit(1523957176.480:37835): apparmor="DENIED" namespace="root//lxd-testkvm-bionic-tononshared_<var-lib-lxd>" pid=8721 comm="qemu-system-x86" fsuid=64055 ouid=64055 profile="libvirt-1c67131a-7177-4f49-9840-f1092310890d" denied_mask="wr" operation="open" name="/0" requested_mask="wr" Now I wonder about two things: 1. it should be allowed as the profile has #include <abstractions/consoles> And that has: /dev/pts/[0-9]* rw, 2. I think it misses parts of the path as it is a mount point devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=620,ptmxmode=666,max=1024) I think apparmor should process this as /dev/pts/0 still and then allow it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1764715/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
