Thank you for this bug report, I can confirm the segfault in a Questing
LXD container:
root@engaging-guinea:~# aa-enforce wg-quick
Setting /usr/bin/wg-quick to enforce mode.
Warning: profile wg-quick represents multiple programs
root@engaging-guinea:~# strace wg-quick
execve("/usr/bin/wg-quick", ["wg-quick"], 0x7ffdc0d05d40 /* 20 vars */) = -1
EACCES (Permission denied)
+++ killed by SIGSEGV +++
Segmentation fault (core dumped)
Passes when in complain mode:
root@engaging-guinea:~# aa-complain wg-quick
Setting /usr/bin/wg-quick to complain mode.
Warning: profile wg-quick represents multiple programs
Warning: profile wg-quick represents multiple programs
root@engaging-guinea:~# wg-quick
Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ]
[...]
See wg-quick(8) for more info and examples.
Passes via bash redirection:
root@engaging-guinea:~# bash wg-quick
Usage: wg-quick [ up | down | save | strip ] [ CONFIG_FILE | INTERFACE ]
[...]
See wg-quick(8) for more info and examples.
I collected the following AppArmor denial logs:
Dez 03 12:23:40 abaconcy kernel: audit: type=1400 audit(1764761020.244:103661):
apparmor="DENIED" operation="file_mmap" class="file"
namespace="root//lxd-engaging-guinea_<var-snap-lxd-common-lxd>"
profile="wg-quick" name="/usr/bin/bash" pid=1402704 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Dez 03 12:23:35 abaconcy kernel: audit: type=1400 audit(1764761015.855:103660):
apparmor="DENIED" operation="file_mmap" class="file"
namespace="root//lxd-engaging-guinea_<var-snap-lxd-common-lxd>"
profile="wg-quick" name="/usr/bin/bash" pid=1402695 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Dez 03 12:23:32 abaconcy kernel: audit: type=1400 audit(1764761012.289:103659):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//sysctl" pid=1402689 comm="apparmor_parser"
Dez 03 12:23:32 abaconcy kernel: audit: type=1400 audit(1764761012.288:103658):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//nft" pid=1402689 comm="apparmor_parser"
Dez 03 12:23:32 abaconcy kernel: audit: type=1400 audit(1764761012.288:103657):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//ip" pid=1402689 comm="apparmor_parser"
Dez 03 12:23:32 abaconcy kernel: audit: type=1400 audit(1764761012.281:103656):
apparmor="STATUS" operation="profile_replace"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick" pid=1402689 comm="apparmor_parser"
Dez 03 12:23:26 abaconcy kernel: audit: type=1400 audit(1764761006.927:103655):
apparmor="ALLOWED" operation="file_mmap" class="file"
namespace="root//lxd-engaging-guinea_<var-snap-lxd-common-lxd>"
profile="wg-quick" name="/usr/bin/bash" pid=1402669 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Dez 03 12:21:46 abaconcy kernel: audit: type=1400 audit(1764760906.865:103617):
apparmor="ALLOWED" operation="file_mmap" class="file"
namespace="root//lxd-engaging-guinea_<var-snap-lxd-common-lxd>"
profile="wg-quick" name="/usr/bin/bash" pid=1402203 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
Dez 03 12:21:45 abaconcy kernel: audit: type=1400 audit(1764760905.132:103616):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//sysctl" pid=1402200 comm="apparmor_parser"
Dez 03 12:21:45 abaconcy kernel: audit: type=1400 audit(1764760905.131:103615):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//nft" pid=1402200 comm="apparmor_parser"
Dez 03 12:21:45 abaconcy kernel: audit: type=1400 audit(1764760905.131:103614):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick//ip" pid=1402200 comm="apparmor_parser"
Dez 03 12:21:45 abaconcy kernel: audit: type=1400 audit(1764760905.125:103613):
apparmor="STATUS" operation="profile_replace"
label="lxd-engaging-guinea_</var/snap/lxd/common/lxd>//&:lxd-engaging-guinea_<var-snap-lxd-common-lxd>:unconfined"
name="wg-quick" pid=1402200 comm="apparmor_parser"
Dez 03 12:19:50 abaconcy kernel: audit: type=1400 audit(1764760790.662:103575):
apparmor="DENIED" operation="file_mmap" class="file"
namespace="root//lxd-engaging-guinea_<var-snap-lxd-common-lxd>"
profile="wg-quick" name="/usr/bin/bash" pid=1401512 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000000
** Also affects: wireguard (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- wg-quick seg-faults when running in LXC -- apparmour
+ wg-quick segfaults when running in LXC -- apparmor
** Changed in: wireguard (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2133632
Title:
wg-quick segfaults when running in LXC -- apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2133632/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
