I set the bug to 'new' in the hope that someone may have a look at it,
again.
** Changed in: lxc (Ubuntu Noble)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/2080358
Title:
liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule
for lxc-start
Status in lxc package in Ubuntu:
Fix Released
Status in lxc source package in Noble:
New
Status in lxc source package in Oracular:
Fix Released
Bug description:
Hi,
liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for
/usr/bin/lxc-copy, but the profile file contains the rule for
/usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in
[1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but
Ubuntu 24.04 (noble) is. This
wrong profile file prevents running lxc-copy on my companies Ubuntu 24.04
machines.
Can you please replace the 'lxc-start' by 'lxc-copy' in
/etc/apparmor/usr.bin.lxc-copy or update to Debian's 1:6.0.1-1 or
above?
--- SRU Bug Description ---
[ Impact ]
* lxc-copy is not usable with unprivileged user-namespaces, if unconfined
profiles are restricted in unprivileged user namespaces, example error
messages:
$ sysctl kernel.apparmor_restrict_unprivileged_userns
kernel.apparmor_restrict_unprivileged_userns = 1
(This is the new default, cp. [2].)
$ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG
lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not
permitted - Failed to drop supplimentary groups
lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation
not permitted - Failed to setresgid(0, 0, 0)
lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with
error 1
lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No
such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B"
lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not
permitted - Failed to drop supplimentary groups
lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation
not permitted - Failed to setresgid(0, 0, 0)
lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with
error 1
lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error
chowning /home/USER/.local/share/lxc/B/rootfs to container root
lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone
$ dmesg --follow
[ 527.199317] audit: type=1400 audit(1731322925.737:177):
apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns
create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy"
requested="userns_create" target="unprivileged_userns"
[ 527.202674] audit: type=1400 audit(1731322925.737:178):
apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns
create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy"
requested="userns_create" target="unprivileged_userns"
* The upload fixes a typo in lxc-copy's AppArmor profile. noble's original
lxc-copy AA profile actually defines a profile for lxc-start, leaving the
lxc-copy to be unconfined. Due to the change described in [2], the
handling
unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in
noble, if the profile does not get fixed.
[ Test Plan ]
* With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and
kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu
default, create an LXC container unprivileged and attempt to copy it:
$ cat > ~/.config/lxc/default.conf << EOF
lxc.include = /etc/lxc/default.conf
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
EOF
$ lxc-create --name A -t download -- --dist ubuntu --release noble --arch
amd64
$ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG
lxc-copy fails w/o the patch and succeeds when it is applied.
[ Where problems could occur ]
* The patch might cause problems on non-default AppArmor configuration,
possibly preventing the use of lxc-copy or lxc-start.
* We tested the patch on roughly two dozen Ubuntu24.04 developer machines
since
September and could not see problems caused by the patch.
--- End of SRU Bug Description ---
Thanks and kind regards,
Nicolas
[1]: https://salsa.debian.org/lxc-
team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21
[2]: Canonical Ubuntu Blog: Restricted unprivileged user namespaces are
coming to Ubuntu 23.10
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
---
Description: Ubuntu 24.04.1 LTS
Release: 24.04
liblxc-common:
Installed: 1:5.0.3-2ubuntu7
Candidate: 1:5.0.3-2ubuntu7
Version table:
*** 1:5.0.3-2ubuntu7 990
990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: liblxc-common 1:5.0.3-2ubuntu7
Uname: Linux 6.10.6 x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: sway
Date: Wed Sep 11 12:37:23 2024
InstallationDate: Installed on 2024-08-26 (16 days ago)
InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64
(20240220)
SourcePackage: lxc
UpgradeStatus: Upgraded to noble on 2024-09-04 (7 days ago)
modified.conffile..etc.init.d.apport: [modified]
mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
