We have another problem which disappears when I revert
dc757a645cfa82f6ac252365df20a36a9ff82760 ("UBUNTU: SAUCE: apparmor4.0.0
[81/90]: apparmor: convert easy uses of unconfined() to
label_mediates()") commit.Now it is not connected with unconfined profiles at all, it involves Ubuntu Noble (host) + LXD (any version) + Ubuntu 12.04 container. And that container fails to get an IPv4 address using dhcp client with the following error: dhclient3 eth0 RTNETLINK answers: Operation not permitted RTNETLINK answers: Operation not permitted On the host side we can see a following AppArmor denial: Sep 05 12:01:09 kernel: audit: type=1400 audit(1725534069.603:228): apparmor="DENIED" operation="capable" class="cap" namespace="root//lxd-c1_<var-lib-lxd>" profile="/sbin/dhclient" pid=28122 comm="ip" capability=12 capname="net_admin" Precisely the same user space works well with upstream kernels 6.8.12 and 6.11.0-rc7. But fails on 6.8.12-based Ubuntu Noble's kernel. Reverting of dc757a645cfa82f6ac252365df20a36a9ff82760 makes things to work again. Reproducer is as simple as lxc launch ubuntu:12.04 myct and check if myct gets an IPv4 address (it won't). External link: https://discourse.ubuntu.com/t/containers-with- ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2067900 Title: apparmor unconfined profile blocks pivot_root Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: LXD team have got a report (https://github.com/canonical/lxd/issues/13389) from our user that on the Ubuntu Noble host it's not possible to run Docker containers inside a LXC container. After some investigation, it was discovered that problem connected with AppArmor profile which is shipped by default /etc/apparmor.d/runc (comes from https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble- devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 ) This profile is unconfined and should give all permissions to the runc daemon. But it does not work. Manual adding of "pivot_root," line and executing "systemctl reload apparmor.service" makes it work. After some further investigation it was found that on upstream Linux kernel problem is not reproducible. Our team was able to find a problematic commit: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760 The following (partial) revert helps to solve the issue on Ubuntu kernel: diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 74b7293ab971..b12e6bdfefb2 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred, AA_BUG(!new_path); AA_BUG(!old_path); - if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) + if (profile_unconfined(profile) || !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return aa_get_newest_label(&profile->label); error = aa_path_name(old_path, path_flags(profile, old_path), System info: # uname -a Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/os-release PRETTY_NAME="Ubuntu 24.04 LTS" <CUT> To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
