-
Notifications
You must be signed in to change notification settings - Fork 931
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container issues with Ubuntu Oracular systemd version 256-1ubuntu1 #13810
Comments
For now the workaround is to do |
See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
It turns out, that a ruleset: ``` {{- if .feature_mount_nosymfollow }} # see #12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} ``` is not enough to allow nosymfollow. We still getting AppArmor denials like this: ``` [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" ``` First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount ``` options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, ``` or wider: ``` mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), ``` Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: #12698 Closes #12698 May close #13810
Reopens for privilege use case. |
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating #13810 I found that all ro+remount rules in the form: ``` mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, ``` just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: ``` mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, ``` This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: ``` mount options=(ro,remount,bind,nodev,A,B,C), ``` which masks the issue. But for privileged containers it's not. So, let's fix this for correctness.
Ok, what we have about privileged containers:
What we have in the audit logs:
This thing wants a recursive bind-mount of We have this commit in our imagebuilder canonical/lxd-imagebuilder@c928d22 and taking into account that |
Have asked CPC about being able to apply a similar fix as canonical/lxd-imagebuilder@c928d22 to https://chat.canonical.com/canonical/pl/dygqosfbp3gy3x7hcs5ssergoy |
@mihalicyn does this fix rely on the apparmor parser version in core24? |
yes, but we don't need core24 itself. Full list of changes we need to backport: |
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
thanks @mihalicyn I've added the vendored apparmor parser and your fixes as cherry-picks to latest/stable now. |
We are rolling out fixes to 5.21/stable for this now ( |
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
It turns out, that a ruleset: {{- if .feature_mount_nosymfollow }} # see canonical#12698 mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /[^spd]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /d[^e]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /de[^v]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.[^l]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.l[^x]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lx[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/.lxc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev/[^.]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /dev?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /p[^r]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pr[^o]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /pro[^c]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /proc?*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /s[^y]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sy[^s]*{,/**}, mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /sys?*{,/**}, {{- end }} is not enough to allow nosymfollow. We still getting AppArmor denials like this: [110841.647871] audit: type=1400 audit(1721910063.197:1611): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxd-secure-oriole_</var/snap/lxd/common/lxd>" name="/dev/shm/" pid=712867 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec, remount, bind" First of all, there is no "nosymfollow" in the kernel log. Which is a bug and should be fixed by: https://lore.kernel.org/all/[email protected]/ Secondly, it looks like these rules in the form of mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) /some/path, just does not work at all. At least in AppArmor 4.0+ (have not yet tested with older ones). During my local experiments, I found that working variant of it might be: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow) -> /some/path, or wider: mount options=(ro,remount,bind,nosuid,noexec,nodev,nosymfollow), Let's just add a wider variant of the rule in addition to what we already have for unprivileged containers. But keep in mind that something is wrong with these rules in their more restrictive form (with path specifier). This is a matter of a futher investigation, because it's important for privileged containers case. See also: canonical#12698 Closes canonical#12698 May close canonical#13810 Signed-off-by: Alexander Mikhalitsyn <[email protected]> (cherry picked from commit 86c3d51)
While investigating canonical#13810 I found that all ro+remount rules in the form: mount options=(ro,remount,bind,A,B,C) /some_pattern{,/**}, just does not work at all. This remount+bind case is a very special one, and we should rewrite all rules in this form: mount options=(ro,remount,bind,A,B,C) -> /some_pattern{,/**}, This syntax is not new. This change should be compatible with very old AppArmor versions including 2.11. Explanation why it was not noticed for years is that for unprivileged container case we have analogical rule but in a wider form: mount options=(ro,remount,bind,nodev,A,B,C), which masks the issue. But for privileged containers it's not. So, let's fix this for correctness. Signed-off-by: Alexander Mikhalitsyn <[email protected]> (cherry picked from commit 047d3f5)
@mihalicyn please can you verify that Oracular is working on Jammy host with 5.0/edge channel, if so then we can close this as the fix will be included in LXD 5.0.4 Thanks |
I can confirm that it works for me well on |
Investigate and fix all the issues
TODO list:
See also:
#13807
#12698
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486
#13844
#13860
The text was updated successfully, but these errors were encountered: