[Touch-packages] [Bug 2040483] Re: AppArmor denies crun sending signals to containers (stop, kill)

Sun, 10 Dec 2023 21:57:12 -0800 

I tried a more targeted workaround, with

  aa-complain /etc/apparmor.d/usr.bin.crun

or alternatively (without apparmor-utils, which isn't on the default
cloud image):

  sed -i '/flags=/ s/unconfined/complain/' /etc/apparmor.d/usr.bin.crun

but for some reason that breaks podman entirely:

# podman run -it --rm docker.io/busybox
Failed to re-execute libcrun via memory file descriptor
                                                       ERRO[0000] Removing 
container 7c3c938f8e356a9834de6a114ad8b8353ffac7508c8aac131d588e1358ba2f30 from 
runtime after creation failed 
Error: OCI runtime error: crun: Failed to re-execute libcrun via memory file 
descriptor


I just noticed that neither podman nor crun ship their own AppArmor profiles, 
/etc/apparmor.d/usr.bin.crun is shipped by apparmor. So adding a package task, 
but leaving libpod as "affected", so that it is easier to find.

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2040483

Title:
  AppArmor denies crun sending signals to containers (stop, kill)

Status in apparmor package in Ubuntu:
  New
Status in libpod package in Ubuntu:
  Confirmed
Status in apparmor source package in Mantic:
  New
Status in libpod source package in Mantic:
  New
Status in apparmor source package in Noble:
  New
Status in libpod source package in Noble:
  Confirmed

Bug description:
  Mantic's system podman containers are completely broken due to bug
  2040082. However, after fixing that (rebuilding with the patch, or a
  *shht don't try this at home* hack [1]), the AppArmor policy still
  causes bugs:

    podman run -it --rm docker.io/busybox

  Then

    podman stop -l

  fails with

     2023-10-25T11:06:33.873998Z: send signal to pidfd: Permission
  denied

  and journal shows

    audit: type=1400 audit(1698231993.870:92): apparmor="DENIED"
  operation="signal" class="signal" profile="containers-default-0.50.1"
  pid=4713 comm="3" requested_mask="receive" denied_mask="receive"
  signal=term peer="/usr/bin/crun"

  This leaves the container in a broken state:

    # podman ps -a
    CONTAINER ID  IMAGE                             COMMAND     CREATED         
STATUS                      PORTS       NAMES
    61749260f9c4  docker.io/library/busybox:latest  sh          40 seconds ago  
Exited (-1) 29 seconds ago              confident_bouman

    # podman rm --all
    2023-10-25T11:07:21.428701Z: send signal to pidfd: Permission denied
    Error: cleaning up container 
61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae: removing 
container 61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae from 
runtime: `/usr/bin/crun delete --force 
61749260f9c4c96a51dc27fdd9cb8a86d80e4f2aa14eb7ed5b271791ff8008ae` failed: exit 
status 1

    audit: type=1400 audit(1698232041.422:93): apparmor="DENIED"
  operation="signal" class="signal" profile="containers-default-0.50.1"
  pid=4839 comm="3" requested_mask="receive" denied_mask="receive"
  signal=kill peer="/usr/bin/crun"

  [1] sed -i 's/~alpha2/0000000/' /usr/sbin/apparmor_parser

  Ubuntu 23.10

  ii  apparmor                        4.0.0~alpha2-0ubuntu5 amd64        
user-space parser utility for AppArmor
  ii  golang-github-containers-common 0.50.1+ds1-4          all          Common 
files for github.com/containers repositories
  ii  podman                          4.3.1+ds1-8           amd64        engine 
to run OCI-based containers in Pods

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2040483/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to