I tried a more targeted workaround, with
aa-complain /etc/apparmor.d/usr.bin.crun
or alternatively (without apparmor-utils, which isn't on the default
cloud image):
sed -i '/flags=/ s/unconfined/complain/' /etc/apparmor.d/usr.bin.crun
but for some reason that breaks podman entirely:
# podman run -it --rm docker.io/busybox
Failed to re-execute libcrun via memory file descriptor
ERRO[0000] Removing
container 7c3c938f8e356a9834de6a114ad8b8353ffac7508c8aac131d588e1358ba2f30 from
runtime after creation failed
Error: OCI runtime error: crun: Failed to re-execute libcrun via memory file
descriptor
I just noticed that neither podman nor crun ship their own AppArmor profiles,
/etc/apparmor.d/usr.bin.crun is shipped by apparmor. So adding a package task,
but leaving libpod as "affected", so that it is easier to find.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2040483
Title:
AppArmor denies crun sending signals to containers (stop, kill)
Status in apparmor package in Ubuntu:
New
Status in libpod package in Ubuntu:
Confirmed
Status in apparmor source package in Mantic:
New
Status in libpod source package in Mantic:
New
Status in apparmor source package in Noble:
New
Status in libpod source package in Noble:
Confirmed
Bug description:
Mantic's system podman containers are completely broken due to bug
2040082. However, after fixing that (rebuilding with the patch, or a
*shht don't try this at home* hack [1]), the AppArmor policy still
causes bugs:
podman run -it --rm docker.io/busybox
Then
podman stop -l
fails with
2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission
denied
and journal shows
audit: type=1400 audit(1698231993.870:92): apparmor="DENIED"
operation="signal" class="signal" profile="containers-default-0.50.1"
pid=4713 comm="3" requested_mask="receive" denied_mask="receive"
signal=term peer="/usr/bin/crun"
This leaves the container in a broken state:
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
61749260f9c4 docker.io/library/busybox:latest sh 40 seconds ago
Exited (-1) 29 seconds ago confident_bouman
# podman rm --all
2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
Error: cleaning up container
61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing
container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from
runtime: `/usr/bin/crun delete --force
61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit
status 1
audit: type=1400 audit(1698232041.422:93): apparmor="DENIED"
operation="signal" class="signal" profile="containers-default-0.50.1"
pid=4839 comm="3" requested_mask="receive" denied_mask="receive"
signal=kill peer="/usr/bin/crun"
[1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser
Ubuntu 23.10
ii apparmor 4.0.0~alpha2-0ubuntu5 amd64
user-space parser utility for AppArmor
ii golang-github-containers-common 0.50.1+ds1-4 all Common
files for github.com/containers repositories
ii podman 4.3.1+ds1-8 amd64 engine
to run OCI-based containers in Pods
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2040483/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
