[Bug 1666748] Re: Apparmor problem inside a lxd container
*** This bug is a duplicate of bug 1660832 *** https://bugs.launchpad.net/bugs/1660832 The problem with the Unix socket is indeed fixed by 4.4.0-65.86. Thanks John. I have other issues with AA in namespaces which I will report in other LPs. ** This bug has been marked a duplicate of bug 1660832 unix domain socket cross permission check failing with nested namespaces -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1666748] Re: Apparmor problem inside a lxd container
On 2017-02-22 02:19 PM, John Johansen wrote: > You can try the set of kernel in > > http://people.canonical.com/~jj/linux+jj/ I haven't had a chance to try those kernels but 4.4.0-65.86 has just hit -proposed so I'll give it a try and report back, thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1666748] Re: Apparmor problem inside a lxd container
You can try the set of kernel in http://people.canonical.com/~jj/linux+jj/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1666748] Re: Apparmor problem inside a lxd container
I'm also seeing those with my smb servers: apparmor="DENIED" operation="file_perm" namespace="root//lxd-smb_" profile="/usr/sbin/smbd" pid=15865 comm="smbd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="---" On those I also have this: apparmor="DENIED" operation="file_inherit" namespace="root//lxd-smb_ " profile="/usr/sbin/smbd" name="/run/systemd/journal/stdout" pid=3755 comm="smbd" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536 I also have no clue about the above. John, is there any test kernel I could try before something more official hits -proposed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1666748] Re: Apparmor problem inside a lxd container
The peer="---" is likely due to bug 1660832, which has been fixed in the latest set of kernels that should be rolling out this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1666748] Re: Apparmor problem inside a lxd container
On 2017-02-21 09:58 PM, Seth Arnold wrote: > Hi Simon, could you capture the output of apparmor_parser -p on your > sshd profile? Here it is: https://paste.ubuntu.com/24044131/ > There's no 'unix' rules in the portion pasted to github. Indeed, I only added this workaround later on: # required within a container/namespace unix (send,receive) type=stream addr=none, I don't like this workaround because I cannot make sense of it and I'm not even understanding it... > Also, does 'peer="---"' ring any bells for you? Nope, sorry. Thanks Seth, Simon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1666748] Re: Apparmor problem inside a lxd container
Hi Simon, could you capture the output of apparmor_parser -p on your sshd profile? There's no 'unix' rules in the portion pasted to github. Also, does 'peer="---"' ring any bells for you? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1666748 Title: Apparmor problem inside a lxd container To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1666748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs