Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.0.9] apparmor change: host and guest? #2981

Closed
juju4 opened this issue Mar 1, 2017 · 7 comments

Comments

@juju4
Copy link

commented Mar 1, 2017

Required information

  • Distribution: Ubuntu
  • Distribution version: 16.04
  • The output of "lxc info" or if that fails:
    • Kernel version: 4.4.0-62-generic
    • LXC version: 2.0.7-0ubuntu1~16.04.1
    • LXD version: 2.0.8 -> 2.0.9

Issue description

I have a bind setup in a container and I observed recently it fails to start for some permission denied on custom log path.
This error is commonly linked to apparmor but its profile customization inside guest container is part of my deployment play.

Just in case, I tried to do the change in apparmor profiles of host and after, bind started again.
It seems lxc/lxd was updated from 2.0.6/2.0.8 to 2.0.7/2.0.9 the day before it stopped working.

is it new normal behavior? documented? not found any with a quick search.
I checked https://linuxcontainers.org/lxd/news/ but didn't see any matching entry

Thanks

Steps to reproduce

  1. Have bind in container with custom apparmor profile (ex: custom log to /var/log/bind)
  2. start daemon

before: OK
after 2.0.7/2.0.9: need to modify host profile too

@stgraber

This comment has been minimized.

Copy link
Member

commented Mar 1, 2017

Can you show "lxc config show --expanded NAME-OF-CONTAINER"?

@juju4

This comment has been minimized.

Copy link
Author

commented Mar 1, 2017

# lxc config show --expanded dlbind                        
architecture: x86_64
config:
  volatile.base_image: 8542ececdfd6d9a01f3f52ec79c5c82947f525cd73a4e1f3ea16cadd5c34dd05
  volatile.eth0.hwaddr: 00:16:3e:82:7d:c3
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  root:
    path: /
    type: disk
ephemeral: false
profiles:
- default
@stgraber

This comment has been minimized.

Copy link
Member

commented Mar 1, 2017

Ok, that looks fine.

How about "cat /proc/PID/attr/current" where PID is taken from "lxc info dlbind"?

And then "cat /proc/self/attr/current" from inside the container.

@juju4

This comment has been minimized.

Copy link
Author

commented Mar 1, 2017

# cat /proc/2229/attr/current
unconfined//&:lxd-dlbind_<var-lib-lxd>://unconfined
root@dlbind:~# cat /proc/self/attr/current
unconfined
root@dlbind:~# apparmor_status |grep -C3 -i named
   /usr/lib/lxd/lxd-bridge-proxy
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/named
   /usr/sbin/tcpdump
   lxc-container-default
   lxc-container-default-cgns
--
2 processes have profiles defined.
2 processes are in enforce mode.
   /sbin/dhclient (292) 
   /usr/sbin/named (15484) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# apparmor_status |grep -C3 -i named
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/mysqld
   /usr/sbin/named
   /usr/sbin/tcpdump
   :lxd-dlbind_<var-lib-lxd>:///sbin/dhclient
   :lxd-dlbind_<var-lib-lxd>:///usr/bin/lxc-start
--
   :lxd-dlbind_<var-lib-lxd>:///usr/lib/lxd/lxd-bridge-proxy
   :lxd-dlbind_<var-lib-lxd>:///usr/lib/snapd/snap-confine
   :lxd-dlbind_<var-lib-lxd>:///usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   :lxd-dlbind_<var-lib-lxd>:///usr/sbin/named
   :lxd-dlbind_<var-lib-lxd>:///usr/sbin/tcpdump
   :lxd-dlbind_<var-lib-lxd>://lxc-container-default
   :lxd-dlbind_<var-lib-lxd>://lxc-container-default-cgns
--
14 processes have profiles defined.
11 processes are in enforce mode.
   /usr/sbin/mysqld (1690) 
   /usr/sbin/named//&:lxd-dlbind_<var-lib-lxd>:///usr/sbin/named (14247) 
   snap.canonical-livepatch.canonical-livepatchd (18419) 
   unconfined//&:lxd-dlbind_<var-lib-lxd>:///sbin/dhclient (10805) 
@stgraber

This comment has been minimized.

Copy link
Member

commented Mar 1, 2017

Cool, that indeed shows that something wrong's going on.

/usr/sbin/named in the container is confined by both the named profile OUTSIDE and the one INSIDE the container...

As far as LXD is concerned, everything looks good. The apparmor namespacing and stacking is setup properly, so the reason why both apparmor profiles got applied would be a kernel bug.

Can you please report this at https://launchpad.net/ubuntu/+source/apparmor/+filebug and mention the bug number here so I can subscribe the LXD team to it for tracking?

Thanks!

@stgraber stgraber closed this Mar 1, 2017

@stgraber

This comment has been minimized.

Copy link
Member

commented Mar 1, 2017

We tracked this down and have a reproducer. It's a security issue which we'll be tracking privately for now. If you have a Launchpad account, I can subscribe you to the private report as the original reporter of this problem.

@juju4

This comment has been minimized.

Copy link
Author

commented Mar 1, 2017

Thanks @stgraber
Happy to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.