** Description changed: Hi, - liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file - contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in [1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but Ubuntu 24.04 (noble) is. This + liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in [1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but Ubuntu 24.04 (noble) is. This wrong profile file prevents running lxc-copy on my companies Ubuntu 24.04 machines. Can you please replace the 'lxc-start' by 'lxc-copy' in /etc/apparmor/usr.bin.lxc-copy or update to Debian's 1:6.0.1-1 or above? + --- SRU Bug Description --- + + [ Impact ] + + * lxc-copy is not usable with unprivileged user-namespaces, if unconfined + profiles are restricted in unprivileged user namespaces, example error + messages: + + $ sysctl kernel.apparmor_restrict_unprivileged_userns + kernel.apparmor_restrict_unprivileged_userns = 1 + + (This is the new default, cp. [2].) + + $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG + lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not + permitted - Failed to drop supplimentary groups + lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) + lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 + lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B" + lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups + lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) + lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 + lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error chowning /home/USER/.local/share/lxc/B/rootfs to container root + lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone + + $ dmesg --follow + [ 527.199317] audit: type=1400 audit(1731322925.737:177): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" + [ 527.202674] audit: type=1400 audit(1731322925.737:178): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" + + * The upload fixes a typo in lxc-copy's AppArmor profile. noble's original + lxc-copy AA profile actually defines a profile for lxc-start, leaving the + lxc-copy to be unconfined. Due to the change described in [2], the handling + unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in + noble, if the profile does not get fixed. + + + [ Test Plan ] + + * With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and + kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu + default, create an LXC container unprivileged and attempt to copy it: + + $ cat > ~/.config/lxc/default.conf << EOF + lxc.include = /etc/lxc/default.conf + lxc.idmap = u 0 100000 65536 + lxc.idmap = g 0 100000 65536 + EOF + $ lxc-create --name A -t download -- --dist ubuntu --release noble --arch amd64 + $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG + + lxc-copy fails w/o the patch and succeeds when it is applied. + + + [ Where problems could occur ] + + * The patch might cause problems on non-default AppArmor configuration, + possibly preventing the use of lxc-copy or lxc-start. + + * We tested the patch on roughly two dozen Ubuntu24.04 developer machines since + September and could not see problems caused by the patch. + + --- End of SRU Bug Description --- + + Thanks and kind regards, Nicolas - [1]: https://salsa.debian.org/lxc- team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21 + [2]: Canonical Ubuntu Blog: Restricted unprivileged user namespaces are coming to Ubuntu 23.10 + https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces --- Description: Ubuntu 24.04.1 LTS Release: 24.04 liblxc-common: - Installed: 1:5.0.3-2ubuntu7 - Candidate: 1:5.0.3-2ubuntu7 - Version table: - *** 1:5.0.3-2ubuntu7 990 - 990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1:5.0.3-2ubuntu7 + Candidate: 1:5.0.3-2ubuntu7 + Version table: + *** 1:5.0.3-2ubuntu7 990 + 990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages + 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: liblxc-common 1:5.0.3-2ubuntu7 Uname: Linux 6.10.6 x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: sway Date: Wed Sep 11 12:37:23 2024 InstallationDate: Installed on 2024-08-26 (16 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) SourcePackage: lxc UpgradeStatus: Upgraded to noble on 2024-09-04 (7 days ago) modified.conffile..etc.init.d.apport: [modified] mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2080358 Title: liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start Status in lxc package in Ubuntu: Fix Released Status in lxc source package in Noble: Incomplete Status in lxc source package in Oracular: Fix Released Bug description: Hi, liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in [1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but Ubuntu 24.04 (noble) is. This wrong profile file prevents running lxc-copy on my companies Ubuntu 24.04 machines. Can you please replace the 'lxc-start' by 'lxc-copy' in /etc/apparmor/usr.bin.lxc-copy or update to Debian's 1:6.0.1-1 or above? --- SRU Bug Description --- [ Impact ] * lxc-copy is not usable with unprivileged user-namespaces, if unconfined profiles are restricted in unprivileged user namespaces, example error messages: $ sysctl kernel.apparmor_restrict_unprivileged_userns kernel.apparmor_restrict_unprivileged_userns = 1 (This is the new default, cp. [2].) $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B" lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error chowning /home/USER/.local/share/lxc/B/rootfs to container root lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone $ dmesg --follow [ 527.199317] audit: type=1400 audit(1731322925.737:177): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" [ 527.202674] audit: type=1400 audit(1731322925.737:178): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" * The upload fixes a typo in lxc-copy's AppArmor profile. noble's original lxc-copy AA profile actually defines a profile for lxc-start, leaving the lxc-copy to be unconfined. Due to the change described in [2], the handling unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in noble, if the profile does not get fixed. [ Test Plan ] * With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu default, create an LXC container unprivileged and attempt to copy it: $ cat > ~/.config/lxc/default.conf << EOF lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 EOF $ lxc-create --name A -t download -- --dist ubuntu --release noble --arch amd64 $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG lxc-copy fails w/o the patch and succeeds when it is applied. [ Where problems could occur ] * The patch might cause problems on non-default AppArmor configuration, possibly preventing the use of lxc-copy or lxc-start. * We tested the patch on roughly two dozen Ubuntu24.04 developer machines since September and could not see problems caused by the patch. --- End of SRU Bug Description --- Thanks and kind regards, Nicolas [1]: https://salsa.debian.org/lxc- team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21 [2]: Canonical Ubuntu Blog: Restricted unprivileged user namespaces are coming to Ubuntu 23.10 https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces --- Description: Ubuntu 24.04.1 LTS Release: 24.04 liblxc-common: Installed: 1:5.0.3-2ubuntu7 Candidate: 1:5.0.3-2ubuntu7 Version table: *** 1:5.0.3-2ubuntu7 990 990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: liblxc-common 1:5.0.3-2ubuntu7 Uname: Linux 6.10.6 x86_64 ApportVersion: 2.28.1-0ubuntu3.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: sway Date: Wed Sep 11 12:37:23 2024 InstallationDate: Installed on 2024-08-26 (16 days ago) InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) SourcePackage: lxc UpgradeStatus: Upgraded to noble on 2024-09-04 (7 days ago) modified.conffile..etc.init.d.apport: [modified] mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
