[Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
*** This bug is a duplicate of bug 1660832 *** https://bugs.launchpad.net/bugs/1660832 The problem with the Unix socket is indeed fixed by 4.4.0-65.86. Thanks John. I have other issues with AA in namespaces which I will report in other LPs. ** This bug has been marked a duplicate of bug 1660832 unix domain socket cross permission check failing with nested namespaces -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
On 2017-02-22 02:19 PM, John Johansen wrote: > You can try the set of kernel in > > http://people.canonical.com/~jj/linux+jj/ I haven't had a chance to try those kernels but 4.4.0-65.86 has just hit -proposed so I'll give it a try and report back, thanks. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
You can try the set of kernel in http://people.canonical.com/~jj/linux+jj/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
I'm also seeing those with my smb servers: apparmor="DENIED" operation="file_perm" namespace="root//lxd-smb_" profile="/usr/sbin/smbd" pid=15865 comm="smbd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" On those I also have this: apparmor="DENIED" operation="file_inherit" namespace="root//lxd-smb_ " profile="/usr/sbin/smbd" name="/run/systemd/journal/stdout" pid=3755 comm="smbd" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536 I also have no clue about the above. John, is there any test kernel I could try before something more official hits -proposed? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
The peer="---" is likely due to bug 1660832, which has been fixed in the latest set of kernels that should be rolling out this week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
On 2017-02-21 09:58 PM, Seth Arnold wrote: > Hi Simon, could you capture the output of apparmor_parser -p on your > sshd profile? Here it is: https://paste.ubuntu.com/24044131/ > There's no 'unix' rules in the portion pasted to github. Indeed, I only added this workaround later on: # required within a container/namespace unix (send,receive) type=stream addr=none, I don't like this workaround because I cannot make sense of it and I'm not even understanding it... > Also, does 'peer="---"' ring any bells for you? Nope, sorry. Thanks Seth, Simon -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1666748] Re: Apparmor problem inside a lxd container
Hi Simon, could you capture the output of apparmor_parser -p on your sshd profile? There's no 'unix' rules in the portion pasted to github. Also, does 'peer="---"' ring any bells for you? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container Status in apparmor package in Ubuntu: New Bug description: I've been running /usr/sbin/sshd in a custom Apparmor profile [*] for a long time and it works well. When I loaded the same profile in a lxd container (named ganymede), it didn't work at all: apparmor="DENIED" operation="file_perm" namespace="root//lxd-ganymede_ " profile="/usr/sbin/sshd" pid=30870 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" Additional information about my environment: Both the host and the guest are up to date Xenials. root@jupiter:~# apt-cache policy linux-image-4.4.0-63-generic apparmor openssh-server linux-image-4.4.0-63-generic: Installed: 4.4.0-63.84 Candidate: 4.4.0-63.84 Version table: *** 4.4.0-63.84 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status apparmor: Installed: 2.10.95-0ubuntu2.5 Candidate: 2.10.95-0ubuntu2.5 Version table: *** 2.10.95-0ubuntu2.5 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.10.95-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages openssh-server: Installed: 1:7.2p2-4ubuntu2.1 Candidate: 1:7.2p2-4ubuntu2.1 Version table: *** 1:7.2p2-4ubuntu2.1 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:7.2p2-4 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages *: https://github.com/simondeziel/aa-profiles/blob/4d7fbd9fcca4bd62d97e8d0ba2cdc35e8d48d096/16.04/usr.sbin.sshd ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-63.84-generic 4.4.44 Uname: Linux 4.4.0-63-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Tue Feb 21 21:25:55 2017 InstallationDate: Installed on 2016-12-19 (64 days ago) InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161219) ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.4.0-63-generic.efi.signed root=UUID=b23cf18f-e8d0-4a4f-9e8d-6aa47569e86b ro possible_cpus=2 nmi_watchdog=0 kaslr vsyscall=none transparent_hugepage=never PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree' SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp