NACK: [SRU][N, O][PATCH v2 0/1] apparmor: Revert conversion of unconfined() to fix label_mediates()

Maxime Bélair maxime.belair at canonical.com
Sun Jan 5 09:43:44 UTC 2025 

On 12/16/24 18:12, Maxime Bélair wrote:
> BugLink: https://bugs.launchpad.net/bugs/2067900
> 
> SRU Justification:
> 
> [Impact]
> 
> In noble and Oracular, the commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()") prevents the launching of Docker containers inside a LXC container because apparmor unconfined profile blocks pivot_root. It also blocks containers that uses an old apparmor version (e.g. 2.7) to get an IPV4 address through DHCP.
> 
> [Fix]
> 
> Revert of commit dc757a645cfa ("UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()")
> 
> [Test Plan]
> 
> This fix can be tested in Noble and Oracular by running docker in LXC and checking how they behave, as below:
> 
>  1/ Install LXD on a 24.04 machine
>  2/ Run a LXD container with support for security.nesting
>  3/ In the LXD container install docker.io
>  4/ Run a Docker container
> 
> With this patch applied, the docker container will work instead of failing with the following error:
> 
> ```
> docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied: unknown.
> ERRO[0000] error waiting for container:
> ```
> 
> The other issue related to old apparmor versions not supporting ABIs can be tested by running:
> 
> ```
> $ lxc launch ubuntu:12.04
> $ lxc list status=running
> ```
> 
> and checking that the IPV4 field is non-null in the newly-started container
> 
> [Where problems could occur]
> This revert backport is small and returns to the old tested behavior. Hence, this SRU should not cause problems.
> 
> [Changes between v1 and v2]
>  - Fixing title of PATCH 1/1
>  - Clarification about the fix of the revert conflict.
> 
> [Other Info]
> 
> External links:
>  - https://github.com/canonical/lxd/issues/13389
>  - https://discourse.ubuntu.com/t/containers-with-ubuntu-12-04-5-lts-are-not-getting-ipv4s-anymore/47371
> 
> Maxime Bélair (1):
>   UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to label_mediates()
> 
>  security/apparmor/apparmorfs.c |  2 +-
>  security/apparmor/domain.c     | 40 +++++++++++++---------------------
>  security/apparmor/file.c       |  4 ++--
>  security/apparmor/ipc.c        |  2 +-
>  security/apparmor/label.c      |  8 +++----
>  security/apparmor/lsm.c        | 16 +++++++-------
>  security/apparmor/mount.c      |  3 ++-
>  security/apparmor/net.c        |  2 +-
>  security/apparmor/task.c       | 12 ++++++----
>  9 files changed, 42 insertions(+), 47 deletions(-)
> 

Sending a v3

More information about the kernel-team mailing list