[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

[John Johansen]

using
  lxc launch images:ubuntu/yakkety torcontainer
to create the container

the installing tor into the container and starting it I can replicate
the error. However this is due to the container not having apparmor
installed. The container is not booting with apparmor or loading the tor
profile.

Once apparmor is installed the container reports a different error.

[103975.623545] audit: type=1400 audit(1481284511.494:2807):
apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1
namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined"
name="system_tor" pid=18593 comm="(tor)" target="system_tor"

Which upon investigation is an error in the change_profile check around
seccomp no_new_privs when policy is stacked.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143

Title:
  tor in lxd: apparmor="DENIED" operation="change_onexec"
  namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
  name="system_tor"

Status in apparmor package in Ubuntu:
  New
Status in tor package in Ubuntu:
  New

Bug description:
  Environment:
  ----------------

      Distribution: ubuntu
      Distribution version: 16.10
      lxc info:
      apiextensions:

      storage_zfs_remove_snapshots
      container_host_shutdown_timeout
      container_syscall_filtering
      auth_pki
      container_last_used_at
      etag
      patch
      usb_devices
      https_allowed_credentials
      image_compression_algorithm
      directory_manipulation
      container_cpu_time
      storage_zfs_use_refquota
      storage_lvm_mount_options
      network
      profile_usedby
      container_push
      apistatus: stable
      apiversion: "1.0"
      auth: trusted
      environment:
      addresses:
          163.172.48.149:8443
          172.20.10.1:8443
          172.20.11.1:8443
          172.20.12.1:8443
          172.20.22.1:8443
          172.20.21.1:8443
          10.8.0.1:8443
          architectures:
          x86_64
          i686
          certificate: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          certificatefingerprint: 
3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
          driver: lxc
          driverversion: 2.0.5
          kernel: Linux
          kernelarchitecture: x86_64
          kernelversion: 4.8.0-27-generic
          server: lxd
          serverpid: 32694
          serverversion: 2.4.1
          storage: btrfs
          storageversion: 4.7.3
          config:
          core.https_address: '[::]:8443'
          core.trust_password: true

  Container: ubuntu 16.10

  
  Issue description
  ------------------

  
  tor can't start in a non privileged container

  
  Logs from the container:
  -------------------------

  Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
  Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step 
APPARMOR spawning /usr/bin/tor: No such file or directory
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process 
exited, code=exited, status=231/APPARMOR
  Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay 
network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed 
state.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 
'exit-code'.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off 
time over, scheduling restart.
  Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for 
TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset 
devices.list: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on 
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to 
set devices.allow on /system.slice/system-tor.slice/tor@default.service: 
Operation not permitted]
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device 
/run/systemd/inaccessible/chr
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device 
/run/systemd/inaccessible/blk
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on 
/system.slice/system-tor.slice/tor@default.service: Operation not permitted


  Logs from the host
  --------------------

  audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" 
operation="change_onexec" info="label not found" error=-2 
namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" 
  pid=12164 comm="(tor)"

  
  Steps to reproduce
  ---------------------

      install ubuntu container 16.10 on a ubuntu 16.10 host
      install tor in the container
      Launch tor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp