[pkg-lxc-devel] Bug#1033917: Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)

Pierre-Elliott Bécue peb at debian.org
Tue Apr 4 10:24:06 BST 2023


Forest <forestix at sonic.net> wrote on 03/04/2023 at 23:18:10+0200:

> Package: lxc
> Version: 1:5.0.2-1
> Severity: normal
> X-Debbugs-Cc: forestix at sonic.net
>
> Dear Maintainer,
>
> After upgrading an unprivileged container from bullseye to bookworm, LXC's
> AppArmor profiles are no longer sufficient for the guest's systemd-logind.
>
> This manifests as a 25 second hang when running certain commands (notably
> sudo -i and su -) in the container. It also produces a lot of errors in the
> host & guest logs.
>
> Before the upgrade to bookworm, the hangs did not occur, and systemd-logind
> started without trouble.
>
>
> -- Host journal:
>
> Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
> Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)
> Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed for user root
> Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed
> Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave"
> Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave"
>
>
> -- Guest journal:
>
> Apr 02 18:30:16 lxbox sudo[136]:     root : TTY=pts/7 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
> Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0
> Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for user root(uid=0) by (uid=0)
> Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136 comm="sudo -i")
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[137]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 1.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[141]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 2.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[145]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 3.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox (modprobe)[149]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 4.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[153]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
> Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
> Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 5.
> Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
> Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
> Apr 02 18:30:16 lxbox (modprobe)[157]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
> Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
> Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Start request repeated too quickly.
> Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
> Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
> Apr 02 18:30:41 lxbox dbus-daemon[97]: [system] Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
> Apr 02 18:30:41 lxbox sudo[136]: pam_systemd(sudo-i:session): Failed to create session: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
>
>
> -- Guest busctl monitor output:
>
> Type=method_call  Endian=l  Flags=0  Version=1 Cookie=1  Timestamp="Mon 2023-04-03 01:30:16.386617 UTC"
>   Sender=:1.2  Destination=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=Hello
>   UniqueName=:1.2
>   MESSAGE "" {
>   };
>
> Type=method_return  Endian=l  Flags=1  Version=1 Cookie=1  ReplyCookie=1  Timestamp="Mon 2023-04-03 01:30:16.386790 UTC"
>   Sender=org.freedesktop.DBus  Destination=:1.2
>   MESSAGE "s" {
>           STRING ":1.2";
>   };
>
> Type=signal  Endian=l  Flags=1  Version=1 Cookie=5  Timestamp="Mon 2023-04-03 01:30:16.386806 UTC"
>   Sender=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameOwnerChanged
>   MESSAGE "sss" {
>           STRING ":1.2";
>           STRING "";
>           STRING ":1.2";
>   };
>
> Type=signal  Endian=l  Flags=1  Version=1 Cookie=2  Timestamp="Mon 2023-04-03 01:30:16.386820 UTC"
>   Sender=org.freedesktop.DBus  Destination=:1.2  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameAcquired
>   MESSAGE "s" {
>           STRING ":1.2";
>   };
>
> Type=signal  Endian=l  Flags=1  Version=1 Cookie=12  Timestamp="Mon 2023-04-03 01:30:16.392000 UTC"
>   Sender=org.freedesktop.DBus  Destination=org.freedesktop.systemd1  Path=/org/freedesktop/DBus  Interface=org.freedesktop.systemd1.Activator  Member=ActivationRequest
>   MESSAGE "s" {
>           STRING "dbus-org.freedesktop.login1.service";
>   };
>
> Type=method_call  Endian=l  Flags=0  Version=1 Cookie=2  Timestamp="Mon 2023-04-03 01:30:16.392080 UTC"
>   Sender=:1.2  Destination=org.freedesktop.login1  Path=/org/freedesktop/login1  Interface=org.freedesktop.login1.Manager  Member=CreateSession
>   UniqueName=:1.2
>   MESSAGE "uusssssussbssa(sv)" {
>           UINT32 0;
>           UINT32 0;
>           STRING "sudo-i";
>           STRING "x11";
>           STRING "user";
>           STRING "KDE";
>           STRING "seat0";
>           UINT32 7;
>           STRING "pts/7";
>           STRING "";
>           BOOLEAN false;
>           STRING "root";
>           STRING "";
>           ARRAY "(sv)" {
>           };
>   };
>
> Type=error  Endian=l  Flags=1  Version=1 Cookie=3  ReplyCookie=2  Timestamp="Mon 2023-04-03 01:30:41.416860 UTC"
>   Sender=org.freedesktop.DBus  Destination=:1.2
>   ErrorName=org.freedesktop.DBus.Error.TimedOut  ErrorMessage="Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)"
>   MESSAGE "s" {
>           STRING "Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)";
>   };
>
> Type=signal  Endian=l  Flags=1  Version=1 Cookie=6  Timestamp="Mon 2023-04-03 01:30:41.417026 UTC"
>   Sender=org.freedesktop.DBus  Destination=:1.2  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameLost
>   MESSAGE "s" {
>           STRING ":1.2";
>   };
>
> Type=signal  Endian=l  Flags=1  Version=1 Cookie=7  Timestamp="Mon 2023-04-03 01:30:41.417043 UTC"
>   Sender=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameOwnerChanged
>   MESSAGE "sss" {
>           STRING ":1.2";
>           STRING ":1.2";
>           STRING "";
>   };

What's weird is that the problem was already happening in buster and
bullseye.

I guess it is plausible that /etc/lxc/default.conf has been updated in
your upgrade, resetting the lxc-apparmor-profile to something that won't
work for unprivileged containers.

The issue is "normal": the apparmor profile needed to allow
systemd-logind to work properly would allow a user in a privileged
container to escalate and become root on the host. As one can't be
certain what profile will be used, the solution lies either within LXD
(which generates custom profiles for each containers), or with creating
a dedicated apparmor profile that you use only on unprivileged
containers.

The missing lines in apparmor rules have been added in
lxc-default-with-nesting rules of apparmor for lxc 5.

See the patch below: v

From: =?utf-8?q?Pierre-Elliott_B=C3=A9cue?= <peb at debian.org>                                                  
Date: Mon, 1 Aug 2022 22:35:10 +0200                                                                          
Subject: [nesting] Extend mount permissions in apparmor to allow systemd                                      
 services' restrictions to work                                                                               
                                                                                                              
These options allow systemd security features to work. In particular                                          
cases, it helps with systemd-logind and program like this                                                     
                                                                                                              
It's only added in nesting profile as it could pose security risks on                                         
privileged containers.                                                                                        
                                                                                                              
mount options=(rw,rbind) -> /run/systemd/unit-root/,                                                          
mount options=(rw,rbind) -> /run/systemd/unit-root/**,                                                        
mount options=(rw,rshared) -> /,                                                                              
mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,                                  
---                                                                                                           
 config/apparmor/profiles/lxc-default-with-nesting | 4 ++++                                                   
 1 file changed, 4 insertions(+)                                                                              
                                                                                                              
diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index cd198be..01562a9 100644                                                                                 
--- a/config/apparmor/profiles/lxc-default-with-nesting                                                       
+++ b/config/apparmor/profiles/lxc-default-with-nesting                                                       
@@ -10,6 +10,10 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de           
   mount fstype=proc -> /var/cache/lxc/**,                                                                    
   mount fstype=sysfs -> /var/cache/lxc/**,                                                                   
   mount options=(rw,bind),                                                                                   
+  mount options=(rw,rbind) -> /run/systemd/unit-root/,                                                       
+  mount options=(rw,rbind) -> /run/systemd/unit-root/**,                                                     
+  mount options=(rw,rshared) -> /,                                                                           
+  mount options=(rw,nosuid,nodev,noexec) proc -> /run/systemd/unit-root/proc/,                               
   mount fstype=cgroup -> /sys/fs/cgroup/**,                                                                  
   mount fstype=cgroup2 -> /sys/fs/cgroup/**,                                                                 
 }

-- 
PEB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 853 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20230404/06f8de6b/attachment-0001.sig>


More information about the Pkg-lxc-devel mailing list