[Bug 1783305] [NEW] apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Jul 24 10:18:24 UTC 2018 

Public bug reported:

$ lxc launch images:debian/sid test-dynamicusers
$ lxc exec test-dynamicusers bash
$ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
$ systemctl status testdynamic.service


# systemctl status testdynamic.service
● testdynamic.service - /bin/true
   Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
Transient: yes
   Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
  Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
 Main PID: 470 (code=exited, status=217/USER)

Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as 470
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead -> running
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job testdynamic.service/start finished, result=done
Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit change signal for testdynamic.service: Connection reset by peer
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs to testdynamic.service.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process exited, code=exited, status=217/USER
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result 'exit-code'.
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running -> failed
Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed state.


and on the host side, in journal there is:

Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none


Can we somehow make DynamicUser work in lxd containers?

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: lxd (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: systemd (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1783305

Title:
  apparmor DENIED when a systemd unit with DynamicUsers=yes is launched
  in a lxd container

Status in apparmor package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New

Bug description:
  $ lxc launch images:debian/sid test-dynamicusers
  $ lxc exec test-dynamicusers bash
  $ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
  $ systemctl status testdynamic.service

  
  # systemctl status testdynamic.service
  ● testdynamic.service - /bin/true
     Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
  Transient: yes
     Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
    Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
   Main PID: 470 (code=exited, status=217/USER)

  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as 470
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead -> running
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job testdynamic.service/start finished, result=done
  Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit change signal for testdynamic.service: Connection reset by peer
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs to testdynamic.service.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process exited, code=exited, status=217/USER
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result 'exit-code'.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running -> failed
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed state.

  
  and on the host side, in journal there is:

  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none

  
  Can we somehow make DynamicUser work in lxd containers?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions

More information about the foundations-bugs mailing list