CONTAINERNAME_" profile="unconfined" name="system_tor"

Stefan Heijnen Sun, 01 Jan 2017 12:51:05 -0800

No problem, it is the holiday season.

I get the following errors on 16.04:


[    0.511712] audit: initializing netlink subsys (disabled)
[    0.511802] audit: type=2000 audit(1483302109.500:1): initialized
[    7.355509] audit: type=1400 audit(1483302117.275:2): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="lxc-container-default" 
pid=1248 comm="apparmor_parser"
[    7.355514] audit: type=1400 audit(1483302117.275:3): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" 
pid=1248 comm="apparmor_parser"
[    7.355517] audit: type=1400 audit(1483302117.275:4): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="lxc-container-default-with-mounting" pid=1248 comm="apparmor_parser"
[    7.355519] audit: type=1400 audit(1483302117.275:5): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="lxc-container-default-with-nesting" pid=1248 comm="apparmor_parser"
[    7.356597] audit: type=1400 audit(1483302117.275:6): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="system_tor" pid=1250 
comm="apparmor_parser"
[    7.357507] audit: type=1400 audit(1483302117.279:7): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1249 
comm="apparmor_parser"
[    7.357511] audit: type=1400 audit(1483302117.279:8): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1249 
comm="apparmor_parser"
[    7.357514] audit: type=1400 audit(1483302117.279:9): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1249 comm="apparmor_parser"
[    7.357517] audit: type=1400 audit(1483302117.279:10): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="/usr/lib/connman/scripts/dhclient-script" pid=1249 comm="apparmor_parser"
[    7.357701] audit: type=1400 audit(1483302117.279:11): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" 
pid=1254 comm="apparmor_parser"
[   13.742946] audit_printk_skb: 57 callbacks suppressed
[   13.742948] audit: type=1400 audit(1483302123.663:31): apparmor="DENIED" 
operation="unlink" profile="/usr/sbin/ntpd" 
name="/var/lib/openntpd/run/ntpd.sock" pid=2764 comm="ntpd" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
[   14.590740] audit: type=1400 audit(1483302124.511:32): apparmor="DENIED" 
operation="unlink" profile="/usr/sbin/ntpd" 
name="/var/lib/openntpd/run/ntpd.sock" pid=2818 comm="ntpd" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
[   17.359442] audit: type=1400 audit(1483302127.279:33): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="lxd-mysql_</var/lib/lxd>" 
pid=3054 comm="apparmor_parser"
[   19.061796] audit: type=1400 audit(1483302128.983:34): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="lxd-torelay_</var/lib/lxd>" 
pid=3535 comm="apparmor_parser"
[   20.960218] audit: type=1400 audit(1483302130.879:35): apparmor="DENIED" 
operation="unlink" profile="/usr/sbin/ntpd" 
name="/var/lib/openntpd/run/ntpd.sock" pid=3848 comm="ntpd" requested_mask="d" 
denied_mask="d" fsuid=0 ouid=0
[   21.072519] audit: type=1400 audit(1483302130.991:36): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="lxc-container-default" pid=3908 comm="apparmor_parser"
[   21.072525] audit: type=1400 audit(1483302130.991:37): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="lxc-container-default-cgns" pid=3908 comm="apparmor_parser"
[   21.072529] audit: type=1400 audit(1483302130.991:38): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="lxc-container-default-with-mounting" pid=3908 comm="apparmor_parser"
[   21.072533] audit: type=1400 audit(1483302130.991:39): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="lxc-container-default-with-nesting" pid=3908 comm="apparmor_parser"
[   21.073788] audit: type=1400 audit(1483302130.995:40): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="/usr/bin/lxc-start" pid=3910 comm="apparmor_parser"
[   21.075677] audit: type=1400 audit(1483302130.995:41): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="/usr/lib/lxd/lxd-bridge-proxy" pid=3911 comm="apparmor_parser"
[   21.076554] audit: type=1400 audit(1483302130.995:42): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="/sbin/dhclient" pid=3909 comm="apparmor_parser"
[   21.076559] audit: type=1400 audit(1483302130.995:43): apparmor="STATUS" 
operation="profile_load" 
label="lxd-mysql_</var/lib/lxd>//&:lxd-mysql_<var-lib-lxd>://unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=3909 
comm="apparmor_parser"
[   24.173189] audit_printk_skb: 24 callbacks suppressed
[   24.173190] audit: type=1400 audit(1483302134.091:52): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="lxc-container-default" pid=4341 comm="apparmor_parser"
[   24.173196] audit: type=1400 audit(1483302134.091:53): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="lxc-container-default-cgns" pid=4341 comm="apparmor_parser"
[   24.173201] audit: type=1400 audit(1483302134.091:54): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="lxc-container-default-with-mounting" pid=4341 comm="apparmor_parser"
[   24.173205] audit: type=1400 audit(1483302134.091:55): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="lxc-container-default-with-nesting" pid=4341 comm="apparmor_parser"
[   24.175621] audit: type=1400 audit(1483302134.095:56): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="system_tor" pid=4343 comm="apparmor_parser"
[   24.177605] audit: type=1400 audit(1483302134.099:57): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="/sbin/dhclient" pid=4342 comm="apparmor_parser"
[   24.177611] audit: type=1400 audit(1483302134.099:58): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=4342 
comm="apparmor_parser"
[   24.177615] audit: type=1400 audit(1483302134.099:59): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=4342 comm="apparmor_parser"
[   24.177619] audit: type=1400 audit(1483302134.099:60): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="/usr/lib/connman/scripts/dhclient-script" pid=4342 comm="apparmor_parser"
[   24.177831] audit: type=1400 audit(1483302134.099:61): apparmor="STATUS" 
operation="profile_load" 
label="lxd-torelay_</var/lib/lxd>//&:lxd-torelay_<var-lib-lxd>://unconfined" 
name="/usr/bin/lxc-start" pid=4344 comm="apparmor_parser"
[   29.605458] audit_printk_skb: 63 callbacks suppressed
[   29.605459] audit: type=1400 audit(1483302139.527:83): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-webserver_<var-lib-lxd>" 
profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5233 
comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   29.605466] audit: type=1400 audit(1483302139.527:84): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-webserver_<var-lib-lxd>" 
profile="/sbin/dhclient" name="/run/systemd/journal/stdout" pid=5233 
comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   31.536211] audit: type=1400 audit(1483302141.455:85): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-mysql_<var-lib-lxd>" 
profile="/usr/sbin/mysqld" name="/run/systemd/journal/stdout" pid=5519 
comm="mysqld" requested_mask="wr" denied_mask="wr" fsuid=100113 ouid=100000
[   31.536218] audit: type=1400 audit(1483302141.455:86): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-mysql_<var-lib-lxd>" 
profile="/usr/sbin/mysqld" name="/run/systemd/journal/stdout" pid=5519 
comm="mysqld" requested_mask="wr" denied_mask="wr" fsuid=100113 ouid=100000
[   33.485885] audit: type=1400 audit(1483302143.407:87): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=5713 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   33.485894] audit: type=1400 audit(1483302143.407:88): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=5713 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   33.485908] audit: type=1400 audit(1483302143.407:89): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=5713 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   38.689862] audit: type=1400 audit(1483302148.611:90): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6026 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   38.689872] audit: type=1400 audit(1483302148.611:91): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6026 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   38.689888] audit: type=1400 audit(1483302148.611:92): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=6026 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   41.529888] audit: type=1400 audit(1483302151.451:93): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6474 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   41.529980] audit: type=1400 audit(1483302151.451:94): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6474 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   41.530038] audit: type=1400 audit(1483302151.451:95): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=6474 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   43.917886] audit: type=1400 audit(1483302153.839:96): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6607 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   43.917977] audit: type=1400 audit(1483302153.839:97): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6607 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   43.918025] audit: type=1400 audit(1483302153.839:98): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=6607 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   44.849815] audit: type=1400 audit(1483302154.771:99): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6639 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   44.849824] audit: type=1400 audit(1483302154.771:100): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6639 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   44.849839] audit: type=1400 audit(1483302154.771:101): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=6639 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   45.553854] audit: type=1400 audit(1483302155.475:102): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6650 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   45.553946] audit: type=1400 audit(1483302155.475:103): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6650 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000
[   45.553991] audit: type=1400 audit(1483302155.475:104): apparmor="DENIED" 
operation="file_mmap" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/usr/bin/tor" pid=6650 comm="tor" requested_mask="m" 
denied_mask="m" fsuid=100000 ouid=100000
[   46.317851] audit: type=1400 audit(1483302156.239:105): apparmor="DENIED" 
operation="file_inherit" namespace="root//lxd-torelay_<var-lib-lxd>" 
profile="system_tor" name="/run/systemd/journal/stdout" pid=6662 comm="tor" 
requested_mask="wr" denied_mask="wr" fsuid=100000 ouid=100000

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143

Title:
  tor in lxd: apparmor="DENIED" operation="change_onexec"
  namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
  name="system_tor"

Status in apparmor package in Ubuntu:
  Confirmed
Status in tor package in Ubuntu:
  Confirmed

Bug description:
  Environment:
  ----------------

      Distribution: ubuntu
      Distribution version: 16.10
      lxc info:
      apiextensions:

      storage_zfs_remove_snapshots
      container_host_shutdown_timeout
      container_syscall_filtering
      auth_pki
      container_last_used_at
      etag
      patch
      usb_devices
      https_allowed_credentials
      image_compression_algorithm
      directory_manipulation
      container_cpu_time
      storage_zfs_use_refquota
      storage_lvm_mount_options
      network
      profile_usedby
      container_push
      apistatus: stable
      apiversion: "1.0"
      auth: trusted
      environment:
      addresses:
          163.172.48.149:8443
          172.20.10.1:8443
          172.20.11.1:8443
          172.20.12.1:8443
          172.20.22.1:8443
          172.20.21.1:8443
          10.8.0.1:8443
          architectures:
          x86_64
          i686
          certificate: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
          certificatefingerprint: 
3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
          driver: lxc
          driverversion: 2.0.5
          kernel: Linux
          kernelarchitecture: x86_64
          kernelversion: 4.8.0-27-generic
          server: lxd
          serverpid: 32694
          serverversion: 2.4.1
          storage: btrfs
          storageversion: 4.7.3
          config:
          core.https_address: '[::]:8443'
          core.trust_password: true

  Container: ubuntu 16.10

  
  Issue description
  ------------------

  
  tor can't start in a non privileged container

  
  Logs from the container:
  -------------------------

  Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
  Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step 
APPARMOR spawning /usr/bin/tor: No such file or directory
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process 
exited, code=exited, status=231/APPARMOR
  Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay 
network for TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed 
state.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 
'exit-code'.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off 
time over, scheduling restart.
  Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for 
TCP.
  Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset 
devices.list: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on 
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
  Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to 
set devices.allow on /system.slice/system-tor.slice/tor@default.service: 
Operation not permitted]
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device 
/run/systemd/inaccessible/chr
  Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device 
/run/systemd/inaccessible/blk
  Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on 
/system.slice/system-tor.slice/tor@default.service: Operation not permitted


  Logs from the host
  --------------------

  audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" 
operation="change_onexec" info="label not found" error=-2 
namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" 
  pid=12164 comm="(tor)"

  
  Steps to reproduce
  ---------------------

      install ubuntu container 16.10 on a ubuntu 16.10 host
      install tor in the container
      Launch tor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"

Reply via email to