[SRU][N, O][PATCH 0/1] apparmor: Revert conversion of unconfined() to fix label_mediates()

Maxime Bélair maxime.belair at canonical.com
Sun Nov 17 11:43:18 UTC 2024 

BugLink: https://bugs.launchpad.net/bugs/2067900

SRU Justification:

[Impact]

In noble and Oracular, the commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") prevents the launching of Docker containers inside a LXC container because apparmor unconfined profile blocks pivot_root. It also blocks containers that uses an old apparmor version (e.g. 2.7) to get an IPV4 address through DHCP.

[Fix]

Revert of commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()")

[Test Plan]

This fix can be tested in Noble and Oracular by running docker in LXC and checking how they behave, as below:

 1/ Install LXD on a 24.04 machine
 2/ Run a LXD container with support for security.nesting
 3/ In the LXD container install docker.io
 4/ Run a Docker container

With this patch applied, the docker container will work instead of failing with the following error:

```
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown.
ERRO[0000] error waiting for container:
```

The other issue related to old apparmor versions not supporting ABIs can be tested by running:

```
$ lxc launch ubuntu:12.04
$ lxc list status=running
```

and checking that the IPV4 field is non-null in the newly-started container

[Where problems could occur]
This revert backport is small and returns to the old tested behavior. Hence, this SRU should not cause problems.


[Other Info]

External links:
 - https://github.com/canonical/lxd/issues/13389
 - https://discourse.ubuntu.com/t/containers-with-ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore/47371

Maxime Bélair (1):
  [SRU][N,O][PATCH 1/1] Backports a revert of "UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()"

 security/apparmor/apparmorfs.c |  2 +-
 security/apparmor/domain.c     | 40 +++++++++++++---------------------
 security/apparmor/file.c       |  4 ++--
 security/apparmor/ipc.c        |  2 +-
 security/apparmor/label.c      |  8 +++----
 security/apparmor/lsm.c        | 16 +++++++-------
 security/apparmor/mount.c      |  3 ++-
 security/apparmor/net.c        |  2 +-
 security/apparmor/task.c       | 12 ++++++----
 9 files changed, 42 insertions(+), 47 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list