[Bug 1215386] Re: lxc-start tries to change apparmor profile to unconfined

[Serge Hallyn]

** Description changed:

+ =======================
+ SRU information
+ 1. Impact: failure to start unconfined containers.
+ 2. Development fix: make sure that the buffer into which we read the current container is \0-terminated
+ 3. Stable fix: same as development fix
+ 4. Test case:
+      sudo lxc-create -t ubuntu -n x1
+      sudo sed -i '/lxc.aa_profile/d' /var/lib/lxc/x1/config
+      echo "lxc.aa_profile = unconfined" >> /var/lib/lxc/x1/config
+      sudo lxc-start -n x1
+      Unfortunately since the bug depends on a badly formed stack it can be hard to reproduce
+ 5. Regression potential: there should be none, we are only setting the buffer to all zeros before we read into it.
+ ========================
+ 
  When starting a container that has 'lxc.aa_profile = unconfined' on its
  configuration file, lxc-start fails with
  
    lxc-start: Read-only file system - failed to change apparmor profile
  to unconfined
  
  This happens because the buffer used by lxc-start to read the process'
  apparmor profile from /proc/<PID>/attr/current is not properly NULL-
  terminated. A patch for this has been applied upstream and is available
  at
  https://github.com/lxc/lxc/commit/626ad11bfee3e12e675f51e92920030a6f383b19
  
  Ubuntu Release: Ubuntu 13.04
  lxc package version: 0.9.0-0ubuntu3.4

** Description changed:

  =======================
  SRU information
  1. Impact: failure to start unconfined containers.
  2. Development fix: make sure that the buffer into which we read the current container is \0-terminated
  3. Stable fix: same as development fix
  4. Test case:
       sudo lxc-create -t ubuntu -n x1
       sudo sed -i '/lxc.aa_profile/d' /var/lib/lxc/x1/config
-      echo "lxc.aa_profile = unconfined" >> /var/lib/lxc/x1/config
+      echo "lxc.aa_profile = unconfined" | sudo tee -a /var/lib/lxc/x1/config
       sudo lxc-start -n x1
       Unfortunately since the bug depends on a badly formed stack it can be hard to reproduce
  5. Regression potential: there should be none, we are only setting the buffer to all zeros before we read into it.
  ========================
  
  When starting a container that has 'lxc.aa_profile = unconfined' on its
  configuration file, lxc-start fails with
  
    lxc-start: Read-only file system - failed to change apparmor profile
  to unconfined
  
  This happens because the buffer used by lxc-start to read the process'
  apparmor profile from /proc/<PID>/attr/current is not properly NULL-
  terminated. A patch for this has been applied upstream and is available
  at
  https://github.com/lxc/lxc/commit/626ad11bfee3e12e675f51e92920030a6f383b19
  
  Ubuntu Release: Ubuntu 13.04
  lxc package version: 0.9.0-0ubuntu3.4

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1215386

Title:
  lxc-start tries to change apparmor profile to unconfined

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1215386/+subscriptions