apparmor unconfined profile blocks pivot_root

Bug #2067900 reported by Aleksandr Mikhalitsyn
44
This bug affects 8 people
Affects Status Importance Assigned to Milestone
AppArmor
Confirmed
Undecided
Unassigned
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

LXD team have got a report (https://github.com/canonical/lxd/issues/13389) from our user that on the Ubuntu Noble host it's not possible to run Docker containers inside a LXC container.

After some investigation, it was discovered that problem connected with AppArmor profile which is shipped by default /etc/apparmor.d/runc (comes from https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble-devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 )

This profile is unconfined and should give all permissions to the runc daemon. But it does not work.

Manual adding of "pivot_root," line and executing "systemctl reload apparmor.service" makes it work.

After some further investigation it was found that on upstream Linux kernel problem is not reproducible.

Our team was able to find a problematic commit:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760

The following (partial) revert helps to solve the issue on Ubuntu kernel:

diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 74b7293ab971..b12e6bdfefb2 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred,
        AA_BUG(!new_path);
        AA_BUG(!old_path);

- if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
+ if (profile_unconfined(profile) || !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
                return aa_get_newest_label(&profile->label);

        error = aa_path_name(old_path, path_flags(profile, old_path),

System info:

# uname -a
Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
<CUT>

Revision history for this message
John Johansen (jjohansen) wrote :

This requires a v4.0 apparmor parser and Ubuntu not upstream kernel.

The ubuntu kernel carries a patch that is work toward splitting unconfined and making so it can replaced and only cause mediation overhead for the classes being mediated.

The 4.0 parser is setting mediated classes in unconfined profiles when it shouldn't, causing pivot root to fail.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor:
status: New → Confirmed
Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :

It looks like the same issue happens with "kill" syscall:

Jul 01 15:52:45 kernel: audit: type=1400 audit(1719849165.951:291): apparmor="DENIED" operation="signal" class="signal" profile="lxd-v1_</var/snap/lxd/common/lxd>" pid=15369 comm="lxd" requested_mask="receive" denied_mask="receive" signal=kill peer="snap.lxd.daemon"

this started to appear after LXD was enabled to use unconfined profile mode.

Revision history for this message
Thomas Parrott (tomparrott) wrote :

This issue is now occuring in lxd latest/edge builds after we merged initial support for restricted user namespaces.

Is there an eta on a fix?

Revision history for this message
Aleksandr Mikhalitsyn (mihalicyn) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.