Public bug reported:
When running containers with no-new-privilleges on Podman on Ubuntu
24.04, applications that need to create network sockets fail with
"Permission denied" errors. This is caused by the AppArmor profile for
crun denying the "create" operation for network sockets.
Steps to Reproduce
1. Install podman on Ubuntu
2. Run the following command:
podman run --rm --security-opt=no-new-privileges
docker.io/nginxinc/nginx-unprivileged:alpine3.22
3. Observe the container fails to start with permission denied error
Expected Behavior
The container should start successfully and nginx should be able to bind
to port 8080.
Actual Behavior
The container fails with the following error:
2025/07/26 12:29:02 [emerg] 1#1: socket() 0.0.0.0:8080 failed (13: Permission
denied)
nginx: [emerg] socket() 0.0.0.0:8080 failed (13: Permission denied)
System Information
OS: Ubuntu 24.04.2 LTS
Kernel Version: 6.14.0-24-generic
podman Version: 4.9.3+ds1-1ubuntu0.2
crun Version: 1.14.1-1
Logs
Container Output
root@natsu:~# podman run --rm --security-opt=no-new-privileges
docker.io/nginxinc/nginx-unprivileged:alpine3.22
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to
perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching
/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of
/etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs
from the packaged version
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching
/docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching
/docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2025/07/26 12:29:02 [emerg] 1#1: socket() 0.0.0.0:8080 failed (13: Permission
denied)
nginx: [emerg] socket() 0.0.0.0:8080 failed (13: Permission denied)
Kernel/AppArmor Audit Log
[ 2787.133304] audit: type=1400 audit(1753532942.087:240):
apparmor="DENIED" operation="create" class="net" info="failed af match"
error=-13 profile="crun" pid=6083 comm="nginx" family="inet"
sock_type="stream" protocol=0 requested="create" denied="create"
** Affects: podman (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2118824
Title:
Podman containers with no-new-privilleges fail to create network
sockets due to AppArmor denial
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/podman/+bug/2118824/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
