apparmor unconfined profile blocks pivot_root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
LXD team have got a report (https:/
After some investigation, it was discovered that problem connected with AppArmor profile which is shipped by default /etc/apparmor.
This profile is unconfined and should give all permissions to the runc daemon. But it does not work.
Manual adding of "pivot_root," line and executing "systemctl reload apparmor.service" makes it work.
After some further investigation it was found that on upstream Linux kernel problem is not reproducible.
Our team was able to find a problematic commit:
https:/
The following (partial) revert helps to solve the issue on Ubuntu kernel:
diff --git a/security/
index 74b7293ab971.
--- a/security/
+++ b/security/
@@ -678,7 +678,7 @@ static struct aa_label *build_
- if (!RULE_
+ if (profile_
error = aa_path_
System info:
# uname -a
Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
<CUT>
This requires a v4.0 apparmor parser and Ubuntu not upstream kernel.
The ubuntu kernel carries a patch that is work toward splitting unconfined and making so it can replaced and only cause mediation overhead for the classes being mediated.
The 4.0 parser is setting mediated classes in unconfined profiles when it shouldn't, causing pivot root to fail.