Public bug reported:
On Ubuntu 25.10 running inside a Proxmox LXC container, any direct execution
of wg-quick (e.g. "wg-quick up wg0") results in a SIGSEGV. The same command
works perfectly when invoked via "bash /usr/bin/wg-quick up wg0".
Cause:
wg-quick has an AppArmor profile (/etc/apparmor.d/usr.bin.wg-quick). When
wg-quick is execve()'d directly, LXC’s AppArmor+seccomp enforcement switches
to the wg-quick profile which denies some operations (likely ip/nft/sysctl),
causing the process to be killed and reported as a segmentation fault.
Placing the profile in complain mode fixes the issue:
"aa-complain wg-quick"
Disabling the profile also fixes it:
"aa-disable wg-quick"
Running wg-quick via bash bypasses the profile switch, so it works.
Expected:
wg-quick should not segfault in LXC environments. (Note, I did not reproduce
the crash in docker, I do not have a non-virtualized ubuntu 25.10 to test in)
Actual:
wg-quick segfaults due to AppArmor enforcement on direct exec only.
Reproduction:
- Proxmox 8.x host
- Ubuntu 25.10 LXC container
- Install wireguard-tools
- Provide wg0.conf
- Run "wg-quick up wg0" → SIGSEGV
- Run "bash /usr/bin/wg-quick up wg0" → works normally
```
root@twentyfive-ten-test:~# lsb_release -rd
Description: Ubuntu 25.10
Release: 25.10
```
```
root@twentyfive-ten-test:~# apt-cache policy apparmor
apparmor:
Installed: 5.0.0~alpha1-0ubuntu8.1
Candidate: 5.0.0~alpha1-0ubuntu8.1
Version table:
*** 5.0.0~alpha1-0ubuntu8.1 500
500 http://archive.ubuntu.com/ubuntu questing-updates/main amd64
Packages
100 /var/lib/dpkg/status
5.0.0~alpha1-0ubuntu8 500
500 http://archive.ubuntu.com/ubuntu questing/main amd64 Packages
root@twentyfive-ten-test:~# apt-cache policy wireguard
wireguard:
Installed: 1.0.20210914-3ubuntu2
Candidate: 1.0.20210914-3ubuntu2
Version table:
*** 1.0.20210914-3ubuntu2 500
500 http://archive.ubuntu.com/ubuntu questing/universe amd64 Packages
100 /var/lib/dpkg/status
root@twentyfive-ten-test:~# apt-cache policy wireguard-tools
wireguard-tools:
Installed: 1.0.20210914-3ubuntu2
Candidate: 1.0.20210914-3ubuntu2
Version table:
*** 1.0.20210914-3ubuntu2 500
500 http://archive.ubuntu.com/ubuntu questing/main amd64 Packages
100 /var/lib/dpkg/status
```
** Affects: net-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2133632
Title:
wg-quick seg-faults when running in LXC -- apparmour
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/net-tools/+bug/2133632/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
