[Bug 2046486] Re: units with SetCredential= fail in LXD containers

Nick Rosbrook 2046486 at bugs.launchpad.net
Wed Jan 3 20:25:33 UTC 2024 

This is the apparmor denial:

audit: type=1400 audit(1704299091.131:665): apparmor="DENIED"
operation="mount" class="mount" info="failed flags match" error=-13
profile="lxd-noble_</var/snap/lxd/common/lxd>" name="/dev/shm/"
pid=71828 comm="(sd-mkdcreds)" flags="ro, nosuid, nodev, noexec,
remount, bind"

which corresponds to:

Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on
/dev/shm
(MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND
""): Permission denied

from the journal output above. Taking a look at the AppArmor profile
create by LXD, it seems that the problematic flag isMS_NOSYMFOLLOW;
there is a rule in
/var/snap/lxd/common/lxd/security/apparmor/profiles/lxd-noble on my
machine that allows the flags (ro,remount,bind,nosuid,noexec,nodev) for
/dev/shm and others.

I think it probably makes the most sense to allow this flag combination
in the AppArmor profile create by LXD.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2046486

Title:
  units with SetCredential= fail in LXD containers

Status in systemd package in Ubuntu:
  New

Bug description:
  To demonstrate this, in an unprivileged LXD container, create the
  following unit (taken from the systemd test suite):

  $ cat > /etc/systemd/system/exec-set-credential.service << EOF
  # SPDX-License-Identifier: LGPL-2.1-or-later
  [Unit]
  Description=Test for SetCredential=

  [Service]
  ExecStart=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"'
  ExecStartPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"'
  ExecStop=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"'
  ExecStopPost=/bin/sh -x -c 'test "$$(cat %d/test-execute.set-credential)" = "hoge"'
  Type=oneshot
  SetCredential=test-execute.set-credential:hoge
  EOF
  $ systemctl daemon-reload
  $ systemctl start exec-set-credential.service
  Job for exec-set-credential.service failed because the control process exited with error code.
  See "systemctl status exec-set-credential.service" and "journalctl -xeu exec-set-credential.service" for details.

  With debug logs enabled, we see:

  $ journalctl -u exec-set-credential.service -b --no-pager
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Trying to enqueue job exec-set-credential.service/start/replace
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Installed new job exec-set-credential.service/start as 2740
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Enqueued job exec-set-credential.service/start as 2740
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Will spawn child (service_enter_start): /bin/sh
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Failed to set 'trusted.invocation_id' xattr on control group /system.slice/exec-set-credential.service, ignoring: Operation not permitted
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Failed to remove 'trusted.delegate' xattr flag on control group /system.slice/exec-set-credential.service, ignoring: Operation not permitted
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Failed to remove 'trusted.survive_final_kill_signal' xattr flag on control group /system.slice/exec-set-credential.service, ignoring: Operation not permitted
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Passing 0 fds to service
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: About to execute: /bin/sh -x -c "test \"1031(cat /run/credentials/exec-set-credential.service/test-execute.set-credential)\" = \"hoge\""
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Forked /bin/sh as 2183
  Dec 14 19:24:24 noble (sh)[2183]: PR_SET_MM_ARG_START failed: Operation not permitted
  Dec 14 19:24:24 noble (sh)[2183]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Dec 14 19:24:24 noble (sh)[2183]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Changed dead -> start
  Dec 14 19:24:24 noble systemd[1]: Starting exec-set-credential.service - Test for SetCredential=...
  Dec 14 19:24:24 noble (sh)[2183]: Successfully forked off '(sd-mkdcreds)' as PID 2184.
  Dec 14 19:24:24 noble (sd-[2184]: Changing mount propagation /dev (MS_REC|MS_SLAVE "")
  Dec 14 19:24:24 noble (sd-[2184]: Mounting ramfs (ramfs) on /dev/shm (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_NOSYMFOLLOW "mode=0700")...
  Dec 14 19:24:24 noble (sd-[2184]: Changing mount flags /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND "")...
  Dec 14 19:24:24 noble (sd-[2184]: Failed to mount n/a (type n/a) on /dev/shm (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_NOSYMFOLLOW|MS_BIND ""): Permission denied
  Dec 14 19:24:24 noble (sh)[2183]: (sd-mkdcreds) failed with exit status 1.
  Dec 14 19:24:24 noble (sh)[2183]: exec-set-credential.service: Failed to set up credentials: Protocol error
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Child 2183 belongs to exec-set-credential.service.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Main process exited, code=exited, status=243/CREDENTIALS
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Will spawn child (service_enter_stop_post): /bin/sh
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: About to execute: /bin/sh -x -c "test \"1031(cat /run/credentials/exec-set-credential.service/test-execute.set-credential)\" = \"hoge\""
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Forked /bin/sh as 2186
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Changed start -> stop-post
  Dec 14 19:24:24 noble (sh)[2186]: PR_SET_MM_ARG_START failed: Operation not permitted
  Dec 14 19:24:24 noble (sh)[2186]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Dec 14 19:24:24 noble (sh)[2186]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
  Dec 14 19:24:24 noble sh[2186]: + test 1031(cat /run/credentials/exec-set-credential.service/test-execute.set-credential) = hoge
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Child 2186 belongs to exec-set-credential.service.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Control process exited, code=exited, status=1/FAILURE
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Got final SIGCHLD for state stop-post.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Failed with result 'exit-code'.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Service will not restart (restart setting)
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Changed stop-post -> failed
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Job 2740 exec-set-credential.service/start finished, result=failed
  Dec 14 19:24:24 noble systemd[1]: Failed to start exec-set-credential.service - Test for SetCredential=.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Unit entered failed state.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Consumed 23ms CPU time.
  Dec 14 19:24:24 noble systemd[1]: exec-set-credential.service: Releasing resources...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2046486/+subscriptions

More information about the foundations-bugs mailing list