*** This bug is a duplicate of bug 1780227 ***
https://bugs.launchpad.net/bugs/1780227
This is an AppArmor bug that I reported and which is tracked here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227
So please close here in favor of that bug.
Christian
** Changed in: lxd (Ubuntu)
Status: New => Invalid
** Changed in: systemd (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1783305
Title:
apparmor DENIED when a systemd unit with DynamicUsers=yes is launched
in a lxd container
Status in apparmor package in Ubuntu:
New
Status in lxd package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Invalid
Bug description:
$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service
# systemctl status testdynamic.service
● testdynamic.service - /bin/true
Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
Transient: yes
Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s
ago
Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
Main PID: 470 (code=exited, status=217/USER)
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true
as 470
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead ->
running
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job
testdynamic.service/start finished, result=done
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send
unit change signal for testdynamic.service: Connection reset by peer
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs
to testdynamic.service.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process
exited, code=exited, status=217/USER
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with
result 'exit-code'.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running
-> failed
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered
failed state.
and on the host side, in journal there is:
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904
comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904
comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904
comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904
comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198
comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941):
apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>"
pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198
comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198
comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED"
operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198
comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Can we somehow make DynamicUser work in lxd containers?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
