[Bug 1783305] Re: apparmor DENIED when a systemd unit with DynamicUsers=yes is launched in a lxd container

Christian Brauner christian.brauner at canonical.com
Tue Jul 24 10:32:23 UTC 2018 

*** This bug is a duplicate of bug 1780227 ***
    https://bugs.launchpad.net/bugs/1780227

This is an AppArmor bug that I reported and which is tracked here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227

So please close here in favor of that bug.

Christian

** Changed in: lxd (Ubuntu)
       Status: New => Invalid

** Changed in: systemd (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1783305

Title:
  apparmor DENIED when a systemd unit with DynamicUsers=yes is launched
  in a lxd container

Status in apparmor package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Invalid

Bug description:
  $ lxc launch images:debian/sid test-dynamicusers
  $ lxc exec test-dynamicusers bash
  $ systemd-run --unit=testdynamic -p DynamicUser=yes --uid=xnox /bin/true
  $ systemctl status testdynamic.service

  
  # systemctl status testdynamic.service
  ● testdynamic.service - /bin/true
     Loaded: loaded (/run/systemd/transient/testdynamic.service; transient)
  Transient: yes
     Active: failed (Result: exit-code) since Tue 2018-07-24 10:16:13 UTC; 6s ago
    Process: 470 ExecStart=/bin/true (code=exited, status=217/USER)
   Main PID: 470 (code=exited, status=217/USER)

  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Forked /bin/true as 470
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed dead -> running
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Job testdynamic.service/start finished, result=done
  Jul 24 10:16:13 systemd239 systemd[1]: Started /bin/true.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed to send unit change signal for testdynamic.service: Connection reset by peer
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Child 470 belongs to testdynamic.service.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Main process exited, code=exited, status=217/USER
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Failed with result 'exit-code'.
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Changed running -> failed
  Jul 24 10:16:13 systemd239 systemd[1]: testdynamic.service: Unit entered failed state.

  
  and on the host side, in journal there is:

  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[14904]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:934): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:935): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:936): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:937): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=14904 comm="(true)" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:938): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:939): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:940): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi kernel: audit: type=1400 audit(1532427373.697:941): apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type=
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none
  Jul 24 11:16:13 sochi audit[3198]: AVC apparmor="DENIED" operation="file_lock" profile="lxd-systemd239_</var/lib/lxd>" pid=3198 comm="systemd" family="unix" sock_type="dgram" protocol=0 addr=none

  
  Can we somehow make DynamicUser work in lxd containers?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1783305/+subscriptions

More information about the foundations-bugs mailing list