ACK: [SRU][N, O][PATCH v3 0/1] apparmor: Revert conversion of unconfined() to fix label_mediates()
Stefan Bader
stefan.bader at canonical.com
Thu Feb 13 09:16:56 UTC 2025
On 05.01.25 10:33, Maxime Bélair wrote:
> BugLink: https://bugs.launchpad.net/bugs/2067900
>
> SRU Justification:
>
> [Impact]
>
> Ubuntu sauce commit "apparmor: convert easy uses of unconfined() to label_mediates()" was applied to Noble and Oracular respectively as dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") and 621bcec8dae4 ("UBUNTU: SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined() to label_mediates()"). This commit prevents the launching of Docker containers inside a LXC container because apparmor unconfined profile blocks pivot_root. It also blocks containers that uses an old apparmor version (e.g. 2.7) to get an IPV4 address through DHCP.
>
> [Fix]
>
> Noble:
> - Backport a revert of commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()")
> Oracular:
> - Backport a revert of commit 621bcec8dae4 ("UBUNTU: SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined() to label_mediates()")
>
> [Test Plan]
>
> This fix can be tested in Noble and Oracular by running docker in LXC and checking how they behave, as below:
>
> 1/ Install LXD on a 24.04 machine
> 2/ Run a LXD container with support for security.nesting
> 3/ In the LXD container install docker.io
> 4/ Run a Docker container
>
> With this patch applied, the docker container will work instead of failing with the following error:
>
> ```
> docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown.
> ERRO[0000] error waiting for container:
> ```
>
> The other issue related to old apparmor versions not supporting ABIs can be tested by running:
>
> ```
> $ lxc launch ubuntu:12.04
> $ lxc list status=running
> ```
>
> and checking that the IPV4 field is non-null in the newly-started container
>
> [Where problems could occur]
>
> This revert backport is small and returns to the old tested behavior. Hence, this SRU should not cause problems.
>
> [Changes between v2 and v3]
>
> - Create separate patches for Noble and Oracular.
> - Fix patch corruption in v2.
>
> [Other Info]
>
> External links:
> - https://github.com/canonical/lxd/issues/13389
> - https://discourse.ubuntu.com/t/containers-with-ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore/47371
>
>
> Maxime Bélair (1):
> UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined() to label_mediates()"
>
> security/apparmor/apparmorfs.c | 2 +-
> security/apparmor/domain.c | 40 +++++++++++++---------------------
> security/apparmor/file.c | 4 ++--
> security/apparmor/ipc.c | 2 +-
> security/apparmor/label.c | 8 +++----
> security/apparmor/lsm.c | 16 +++++++-------
> security/apparmor/mount.c | 3 ++-
> security/apparmor/net.c | 2 +-
> security/apparmor/task.c | 12 ++++++----
> 9 files changed, 42 insertions(+), 47 deletions(-)
>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
- Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250213/0fcc2f72/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250213/0fcc2f72/attachment-0001.sig>
More information about the kernel-team
mailing list