apparmor_parser: Warning: unable to find a suitable fs in /proc/mounts, is it mounted?

Hi,

Thanks a lot for making this code open source.

I have problems when creating the AppArmor profile. I am using a fresh installation of Ubuntu 14.04 LTS in a machine hosted at Linode.

When I try to run the apparmor_parser, I get the error Warning: unable to find a suitable fs in /proc/mounts, is it mounted?.

Here is my AppArmor profile:

(prueba-sandbox)pepe@li911:~$ cat /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python 
#include <tunables/global>

/home/pepe/prueba-sandbox/bin/python {
    #include <abstractions/base>
    #include <abstractions/python>

    /home/pepe/prueba-sandbox/** mr,
    # If you have code that the sandbox must be able to access, add lines
    # pointing to those directories:
    #/the/path/to/your/sandbox-packages/** r,

    /tmp/codejail-*/ rix,
    /tmp/codejail-*/** wrix,
}

And the error:

(prueba-sandbox)pepe@li911:~$ sudo apparmor_parser /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python 
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Also, when I try to use aa-enforce I get this error.

pepe@li911:~$ sudo aa-enforce /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python 
Setting /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python to enforce mode.
Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
    raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'Warning: unable to find a suitable fs in /proc/mounts, is it mounted?\nUse --subdomainfs to override.\n'

Note that apparmor is using "/usr/lib/python3/" instead of "/usr/lib/python2.7". Could this be the reason of the error?

Finally, when I try to run the example code I get an error, but I guess that it is related with the previous error:

>>> import codejail.jail_code
>>> codejail.jail_code.configure('python', '/home/pepe/prueba-sandbox/bin/python')
>>> import codejail.safe_exec
>>> codejail.safe_exec.safe_exec("import os\nos.system('ls /etc')", {})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/safe_exec.py", line 151, in safe_exec
    extra_files=extra_files,
  File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/jail_code.py", line 237, in jail_code
    realtime=LIMITS["REALTIME"], rlimits=create_rlimits(),
  File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/subproc.py", line 42, in run_subprocess
    stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
    raise child_exception

The only related issue that I found is: https://github.com/edx/configuration/issues/1312

Any help would be very much appreciated! Thanks!

[e0d]

I'm guess that your instance doesn't have anything mounted at /tmp. Can
you confirm?

e0d

On Sat, Mar 7, 2015 at 4:57 PM, melonista notifications@github.com wrote:

Hi,

Thanks a lot for making this code open source.

I have problems when creating the AppArmor profile. I am using a fresh
installation of Ubuntu 14.04 LTS in a machine hosted at Linode.

When I try to run the apparmor_parser, I get the error Warning: unable to
find a suitable fs in /proc/mounts, is it mounted?.

Here is my AppArmor profile:

(prueba-sandbox)pepe@li911:~$ cat /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python
#include <tunables/global>

/home/pepe/prueba-sandbox/bin/python {
#include <abstractions/base>
#include <abstractions/python>

/home/pepe/prueba-sandbox/** mr,
# If you have code that the sandbox must be able to access, add lines
# pointing to those directories:
#/the/path/to/your/sandbox-packages/** r,

/tmp/codejail-*/ rix,
/tmp/codejail-*/** wrix,

}

And the error:

(prueba-sandbox)pepe@li911:~$ sudo apparmor_parser /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Also, when I try to use aa-enforce I get this error.

pepe@li911:~$ sudo aa-enforce /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python
Setting /etc/apparmor.d/home.pepe.prueba-sandbox.bin.python to enforce mode.
Traceback (most recent call last):
File "/usr/sbin/aa-enforce", line 30, in
tool.cmd_enforce()
File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'Warning: unable to find a suitable fs in /proc/mounts, is it mounted?\nUse --subdomainfs to override.\n'

Note that apparmor is using "/usr/lib/python3/" instead of
"/usr/lib/python2.7". Could this be the reason of the error?

Finally, when I try to run the example code I get an error, but I guess
that it is related with the previous error:

import codejail.jail_code
codejail.jail_code.configure('python', '/home/pepe/prueba-sandbox/bin/python')
import codejail.safe_exec
codejail.safe_exec.safe_exec("import os\nos.system('ls /etc')", {})
Traceback (most recent call last):
File "", line 1, in
File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/safe_exec.py", line 151, in safe_exec
extra_files=extra_files,
File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/jail_code.py", line 237, in jail_code
realtime=LIMITS["REALTIME"], rlimits=create_rlimits(),
File "/home/pepe/prueba/local/lib/python2.7/site-packages/codejail/subproc.py", line 42, in run_subprocess
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
File "/usr/lib/python2.7/subprocess.py", line 710, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
raise child_exception

The only related issue that I found is: edx/configuration#1312
https://github.com/edx/configuration/issues/1312

Any help would be very much appreciated! Thanks!

—
Reply to this email directly or view it on GitHub
#38.

Thanks a lot for your fast reply.

No:

root@li911:~# mount
/dev/xvda on / type ext4 (rw,noatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd)

root@li911:~# ls /tmp/
pip_build_pepe  pip_build_root

Should I have a /tmp/codejail folder?

I installed Codejail the following way:
1- Activate my non-sandbox vitualenv (in my case /home/prueba/bin/activate).
2- Dowload master.zip from github.
3- $ pip install master.zip (so it is only installed only for this virtualenv)

The only difference with respect the installation guide is that I created the sandboxed virtualenv without sudo:
$ virtualenv <SANDENV>
instead of
$ sudo virtualenv <SANDENV>

But I also tried doing it with sudo, although in the next step then you also need sudo for installing the packages:
sudo pip install -r sandbox-requirements.txt
instead of:
pip install -r sandbox-requirements.txt
And anyway I arrive to the same error that I explained on my first post.

[e0d]

Sorry I don't have more time to look at this now, but this issue is likely
to be solved by using python 2.7 and Ubuntu 12.04. If you'd like to work
on getting code jail running with Python 3 and Ubuntu 14.04, we would
certainly love a PR.

e0d

On Sat, Mar 7, 2015 at 5:51 PM, melonista notifications@github.com wrote:

Thanks a lot for your fast reply.

No:

root@li911-159:~# mount
/dev/xvda on / type ext4 (rw,noatime,errors=remount-ro)
proc on /proc type proc (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd)

root@li911-159:~# ls /tmp/
pip_build_pepe pip_build_root

Should I have a /tmp/codejail folder?

I installed Codejail the following way:
1- Activate my non-sandbox vitualenv (in my case
/home/prueba/bin/activate).
2- Dowload master.zip from github.
3- $ pip install master.zip (so it is only installed only for this
virtualenv)

The only difference with respect the installation guide is that I created
the sandboxed virtualenv without sudo:
$ virtualenv
instead of
$ sudo virtualenv

But I also tried doing it with sudo, although in the next step then you
also need sudo for installing the packages:
sudo pip install -r sandbox-requirements.txt
instead of:
pip install -r sandbox-requirements.txt
And I arrive to the same error that I explained on my first post.

—
Reply to this email directly or view it on GitHub
#38 (comment).

Thanks a lot for trying. For the moment I will try 12.04. Just for the record, what I am currently using is Ubuntu 14.04 LTS + Python 2.7.6.

[e0d]

Can you also include which version of apparmor you are using?

On Sat, Mar 7, 2015 at 6:09 PM, melonista notifications@github.com wrote:

Thanks a lot for trying. For the moment I will try 12.04. Just for the
record, what I am currently using is Ubuntu 14.04 LTS + Python 2.7.6.

—
Reply to this email directly or view it on GitHub
#38 (comment).

$ sudo dpkg -s apparmor
Package: apparmor
Architecture: amd64
Version: 2.8.95~2430-0ubuntu5.1

Ubuntu 12.04 raises the same error. I am pretty sure now that this is error happens because the default kernel in Linode is not compiled with AppArmor support.

[dalareo]

I am also facing this error trying to install Ficus on a Linode VM. Is there a solution?? @melonista
UPDATE: I have changed default kernel and trying with distribution-provided one