Verification completed in oracular linux/6.11.0-21.21. Works as
expected.
georgia@sec-oracular-amd64:~$ uname -a
Linux sec-oracular-amd64 6.11.0-21-generic #21-Ubuntu SMP PREEMPT_DYNAMIC Wed
Feb 19 16:50:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
georgia@sec-oracular-amd64:~$ sudo lxc launch ubuntu:12.04
[sudo] password for georgia:
Launching the instance
Instance name is: grateful-muskrat
georgia@sec-oracular-amd64:~$ sudo lxc ls name=grateful-muskrat
+------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6
| TYPE | SNAPSHOTS |
+------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| grateful-muskrat | RUNNING | 10.212.214.210 (eth0) |
fd42:fbca:f64c:406c:216:3eff:fe36:f101 (eth0) | CONTAINER | 0 |
+------------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
georgia@sec-oracular-amd64:~$ sudo apt install docker.io docker-compose-v2
georgia@sec-oracular-amd64:~$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
e6590344b1a5: Pull complete
Digest: sha256:e0b569a5163a5e6be84e210a2587e7d447e08f87a0e90798363fa44a0464a1e8
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
** Tags removed: verification-needed-oracular-linux
** Tags added: verification-done-oracular-linux
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2067900
Title:
apparmor unconfined profile blocks pivot_root
Status in AppArmor:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
LXD team have got a report
(https://github.com/canonical/lxd/issues/13389) from our user that on
the Ubuntu Noble host it's not possible to run Docker containers
inside a LXC container.
After some investigation, it was discovered that problem connected
with AppArmor profile which is shipped by default /etc/apparmor.d/runc
(comes from
https://git.launchpad.net/ubuntu/+source/apparmor/commit/profiles/apparmor.d/runc?h=ubuntu/noble-
devel&id=997aea8111bfa1e03960ae3a40321da73f0a6d96 )
This profile is unconfined and should give all permissions to the runc
daemon. But it does not work.
Manual adding of "pivot_root," line and executing "systemctl reload
apparmor.service" makes it work.
After some further investigation it was found that on upstream Linux
kernel problem is not reproducible.
Our team was able to find a problematic commit:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=dc757a645cfa82f6ac252365df20a36a9ff82760
The following (partial) revert helps to solve the issue on Ubuntu
kernel:
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 74b7293ab971..b12e6bdfefb2 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -678,7 +678,7 @@ static struct aa_label *build_pivotroot(const struct cred
*subj_cred,
AA_BUG(!new_path);
AA_BUG(!old_path);
- if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
+ if (profile_unconfined(profile) || !RULE_MEDIATES(rules,
AA_CLASS_MOUNT))
return aa_get_newest_label(&profile->label);
error = aa_path_name(old_path, path_flags(profile, old_path),
System info:
# uname -a
Linux ubuntu 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20
00:40:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
<CUT>
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2067900/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
