** Patch added: "v3: Update after SRU 1:5.0.3-2ubuntu7.1" https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+attachment/5853357/+files/v3-0001-apparmor-Provide-valid-AppArmor-profile-for-lxc-c.patch
** Summary changed: - liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start + [SRU] liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start ** Description changed: Hi, - liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in [1], current Debian versions (1:5.0.2-1 and 1:6.0.1-1) are not affected, but Ubuntu 24.04 (noble) is. This - wrong profile file prevents running lxc-copy on my companies Ubuntu 24.04 machines. + liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for + /usr/bin/lxc-copy, but the profile file contains the rule for /usr/bin/lxc-start + instead of /usr/bin/lxc-copy. The mistake was introduced in [1] (a typo during + cherry-picking an upstream commit). Current Debian versions (1:5.0.2-1+deb12u3 + and 1:6.0.3-1) are not affected, but Ubuntu 24.04 (noble) is. The mistaken + AppArmor profile file prevents running lxc-copy on Ubuntu 24.04 machines. Can you please replace the 'lxc-start' by 'lxc-copy' in - /etc/apparmor/usr.bin.lxc-copy or update to Debian's 1:6.0.1-1 or above? + /etc/apparmor/usr.bin.lxc-copy (see patch below) or update to Debian's 1:6.0.1-1 + or above? --- SRU Bug Description --- [ Impact ] - * lxc-copy is not usable with unprivileged user-namespaces, if unconfined - profiles are restricted in unprivileged user namespaces, example error - messages: + * lxc-copy is not usable with unprivileged user-namespaces, if unconfined + profiles are restricted in unprivileged user namespaces, example error + messages: - $ sysctl kernel.apparmor_restrict_unprivileged_userns - kernel.apparmor_restrict_unprivileged_userns = 1 + $ sysctl kernel.apparmor_restrict_unprivileged_userns + kernel.apparmor_restrict_unprivileged_userns = 1 - (This is the new default, cp. [2].) + (This is the new default, cp. [2].) - $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG - lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not + $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG + lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups - lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) - lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 - lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B" - lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups - lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) - lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 - lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error chowning /home/USER/.local/share/lxc/B/rootfs to container root - lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone + lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) + lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 + lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B" + lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups + lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) + lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 + lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error chowning /home/USER/.local/share/lxc/B/rootfs to container root + lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone - $ dmesg --follow - [ 527.199317] audit: type=1400 audit(1731322925.737:177): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" - [ 527.202674] audit: type=1400 audit(1731322925.737:178): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" + $ dmesg --follow + [ 527.199317] audit: type=1400 audit(1731322925.737:177): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" + [ 527.202674] audit: type=1400 audit(1731322925.737:178): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" - * The upload fixes a typo in lxc-copy's AppArmor profile. noble's original - lxc-copy AA profile actually defines a profile for lxc-start, leaving the - lxc-copy to be unconfined. Due to the change described in [2], the handling - unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in - noble, if the profile does not get fixed. - + * The upload fixes a typo in lxc-copy's AppArmor profile. noble's original + lxc-copy AA profile actually defines a profile for lxc-start, leaving the + lxc-copy to be unconfined. Due to the change described in [2], the handling + unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in + noble, if the profile does not get fixed. + Cp. the original upstream commit d51ea224e89f937131342ea71b8010c1c810dcd3 for + reference. [ Test Plan ] - * With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and - kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu - default, create an LXC container unprivileged and attempt to copy it: + * With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and + kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu + default, create an LXC container unprivileged and attempt to copy it: - $ cat > ~/.config/lxc/default.conf << EOF - lxc.include = /etc/lxc/default.conf - lxc.idmap = u 0 100000 65536 - lxc.idmap = g 0 100000 65536 - EOF - $ lxc-create --name A -t download -- --dist ubuntu --release noble --arch amd64 - $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG + $ cat > ~/.config/lxc/default.conf << EOF + lxc.include = /etc/lxc/default.conf + lxc.idmap = u 0 100000 65536 + lxc.idmap = g 0 100000 65536 + EOF + $ lxc-create --name A -t download -- --dist ubuntu --release noble --arch amd64 + $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG - lxc-copy fails w/o the patch and succeeds when it is applied. - + lxc-copy fails w/o the patch and succeeds when it is applied. [ Where problems could occur ] - * The patch might cause problems on non-default AppArmor configuration, - possibly preventing the use of lxc-copy or lxc-start. + * The patch might cause problems on non-default AppArmor configuration, + possibly preventing the use of lxc-copy or lxc-start. - * We tested the patch on roughly two dozen Ubuntu24.04 developer machines since - September and could not see problems caused by the patch. + * We tested the patch on roughly two dozen Ubuntu24.04 developer machines since + September and could not see problems caused by the patch. --- End of SRU Bug Description --- - Thanks and kind regards, Nicolas [1]: https://salsa.debian.org/lxc- team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21 [2]: Canonical Ubuntu Blog: Restricted unprivileged user namespaces are coming to Ubuntu 23.10 - https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces - - --- - Description: Ubuntu 24.04.1 LTS - Release: 24.04 - liblxc-common: - Installed: 1:5.0.3-2ubuntu7 - Candidate: 1:5.0.3-2ubuntu7 - Version table: - *** 1:5.0.3-2ubuntu7 990 - 990 http://de.archive.ubuntu.com/ubuntu noble/universe amd64 Packages - 100 /var/lib/dpkg/status - - ProblemType: Bug - DistroRelease: Ubuntu 24.04 - Package: liblxc-common 1:5.0.3-2ubuntu7 - Uname: Linux 6.10.6 x86_64 - ApportVersion: 2.28.1-0ubuntu3.1 - Architecture: amd64 - CasperMD5CheckResult: pass - CurrentDesktop: sway - Date: Wed Sep 11 12:37:23 2024 - InstallationDate: Installed on 2024-08-26 (16 days ago) - InstallationMedia: Ubuntu 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240220) - SourcePackage: lxc - UpgradeStatus: Upgraded to noble on 2024-09-04 (7 days ago) - modified.conffile..etc.init.d.apport: [modified] - mtime.conffile..etc.init.d.apport: 2024-07-22T16:59:07 + https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2080358 Title: [SRU] liblxc-common: AppArmor-Profile for /usr/bin/lxc-copy contains rule for lxc-start Status in lxc package in Ubuntu: Fix Released Status in lxc source package in Noble: New Status in lxc source package in Oracular: Fix Released Bug description: Hi, liblxc-common 1:5.0.3-2ubuntu7 provides an AppArmor-Profile for /usr/bin/lxc-copy, but the profile file contains the rule for /usr/bin/lxc-start instead of /usr/bin/lxc-copy. The mistake was introduced in [1] (a typo during cherry-picking an upstream commit). Current Debian versions (1:5.0.2-1+deb12u3 and 1:6.0.3-1) are not affected, but Ubuntu 24.04 (noble) is. The mistaken AppArmor profile file prevents running lxc-copy on Ubuntu 24.04 machines. Can you please replace the 'lxc-start' by 'lxc-copy' in /etc/apparmor/usr.bin.lxc-copy (see patch below) or update to Debian's 1:6.0.1-1 or above? --- SRU Bug Description --- [ Impact ] * lxc-copy is not usable with unprivileged user-namespaces, if unconfined profiles are restricted in unprivileged user namespaces, example error messages: $ sysctl kernel.apparmor_restrict_unprivileged_userns kernel.apparmor_restrict_unprivileged_userns = 1 (This is the new default, cp. [2].) $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 lxc-copy: A: ../src/lxc/lxccontainer.c: do_create_container_dir: 1235 No such file or directory - Failed to chown rootfs "/home/USER/.local/share/lxc/B" lxc-copy: A: ../src/lxc/utils.c: lxc_drop_groups: 1365 Operation not permitted - Failed to drop supplimentary groups lxc-copy: A: ../src/lxc/conf.c: userns_exec_mapped_root: 5564 Operation not permitted - Failed to setresgid(0, 0, 0) lxc-copy: A: ../src/lxc/utils.c: wait_exited: 346 Child terminated with error 1 lxc-copy: A: ../src/lxc/lxccontainer.c: do_lxcapi_clone: 3878 Error chowning /home/USER/.local/share/lxc/B/rootfs to container root lxc-copy: A: ../src/lxc/tools/lxc_copy.c: do_clone: 391 Failed to clone $ dmesg --follow [ 527.199317] audit: type=1400 audit(1731322925.737:177): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4108 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" [ 527.202674] audit: type=1400 audit(1731322925.737:178): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=4113 comm="lxc-copy" requested="userns_create" target="unprivileged_userns" * The upload fixes a typo in lxc-copy's AppArmor profile. noble's original lxc-copy AA profile actually defines a profile for lxc-start, leaving the lxc-copy to be unconfined. Due to the change described in [2], the handling unconfined AA profiles in user-namespaces prevents the use of `lxc-copy` in noble, if the profile does not get fixed. Cp. the original upstream commit d51ea224e89f937131342ea71b8010c1c810dcd3 for reference. [ Test Plan ] * With sysctl kernel.apparmor_restrict_unprivileged_unconfied=1 and kernel.apparmor_restrict_unprivileged_userns=1 set, as it is the new Ubuntu default, create an LXC container unprivileged and attempt to copy it: $ cat > ~/.config/lxc/default.conf << EOF lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 EOF $ lxc-create --name A -t download -- --dist ubuntu --release noble --arch amd64 $ lxc-copy --snapshot -B overlayfs --name A --newname B -l DEBUG lxc-copy fails w/o the patch and succeeds when it is applied. [ Where problems could occur ] * The patch might cause problems on non-default AppArmor configuration, possibly preventing the use of lxc-copy or lxc-start. * We tested the patch on roughly two dozen Ubuntu24.04 developer machines since September and could not see problems caused by the patch. --- End of SRU Bug Description --- Thanks and kind regards, Nicolas [1]: https://salsa.debian.org/lxc- team/lxc/-/merge_requests/19/diffs?commit_id=a2ad01ca2081c4dd925037253b01fff0499af17e#d7b13f871dc297c7aa81e98c974db1a24f1b016d_0_21 [2]: Canonical Ubuntu Blog: Restricted unprivileged user namespaces are coming to Ubuntu 23.10 https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2080358/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
