> apparmor_parser -R /etc/apparmor.d
-R means to unload profiles, in this case all profiles in
/etc/apparmor.d/. That's probably a bit ;-) too much...
I'd guess you want to unload only the tcpdump profile, which would be done with
apparmor_parser -R /etc/apparmor.d/usr.bin.tcpdump
An
Ahyes, that fixes things on Ubuntu/Jammy as well:
mkdir -p /etc/apparmor.d/disable
# (did not exist, over here)
ln -s /etc/apparmor.d/usr.bin.tcpdump /etc/apparmor.d/disable
# (note, no sbin, but bin)
apparmor_parser -R /etc/apparmor.d
# (this is indeed needed, instead of an apparmor restart)
This affects Ubuntu 18.04 LXD containers as well.
As per previous mentions for tcpdump:
a) using script does not change anything
b) connecting via ssh and not lxc exec has no effect
c) disabling apparmour for tcpdump does work:
i.e.
/bin/ln -s /etc/apparmor.d/usr.sbin.tcpdump
I've been able to re-create this using fresh install of Ubuntu 18.04
without using LXC or LXD, but just using network namespaces.
Setup 2 namespaces with IPVLAN:
ip netns add ns1
ip link add name ipv1 link enp0s3 type ipvlan mode l3s
ip link set dev ipv1 netns ns1
ip netns exec ns1 ip addr add
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1641236
Title:
On Tue, Jan 31, 2017 at 11:34:43AM +0100, Christian Brauner wrote:
> I've reproduced this on a fresh standard xenial instance with LXD
> 2.0.8 and also on a xenial instance with a patched glibc that reports
> ENODEV on ttyname{_r}() on a pty fd that does not exist:
>
> root@x:~#
I've reproduced this on a fresh standard xenial instance with LXD
2.0.8 and also on a xenial instance with a patched glibc that reports
ENODEV on ttyname{_r}() on a pty fd that does not exist:
root@x:~# ./enodev_on_pty_in_different_namespace
ttyname(): The pty device might exist in a different
Marking the LXD side of this as Invalid since there's unfortunately
nothing we can really do about this.
** Changed in: lxd (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Getting openpty called in the container would solve a lot of problems
for us but it's not possible to do in a safe way as it'd effectively
rely on the container's filesystem which the container user can change
or fake at will, allowing for attacks on the host's C library and LXD
itself.
** Also
There's currently no way in the AppArmor policy language to allow the
getattr operation on the passed in /dev/pts/12 file. The typical
workaround of adding the attach_disconnected flag to the profile does
not work here because *every* AppArmor profile inside of the container
would need that flag.
10 matches
Mail list logo
