[pkg-apparmor] Bug#1098521: Bug#1098521: apparmor 4.x breaks systemd user namespacing in lxc containers
intrigeri
intrigeri at debian.org
Mon Mar 3 11:08:42 GMT 2025
Control: reassign -1 lxc
Hi,
Antoine Le Gonidec (2025-02-21):
> When upgrading apparmor (and libapparmor1) to 4.1.0~beta5-2, multiple
> services spawned by systemd in lxc containers fail to start, with denied
> permissions errors.
>
> Errors similar to the following ones can be found in the kernel logs:
>
> apparmor="DENIED" operation="userns_create" class="namespace" profile="lxc-fediverse_</srv/containers>" pid=1215864 comm="(snac)" requested="userns_create" denied="userns_create"
>
> apparmor="DENIED" operation="userns_create" class="namespace" profile="lxc-forge_</srv/containers>" pid=1203690 comm="(s-server)" requested="userns_create" denied="userns_create"
> ("s-server" here is "redis-server")
>
> Downgrading to apparmor + libapparmor1 3.1.7-4 gets rid of these
> problems.
>
> Such errors are not triggered in lxc containers that use OpenRC as the
> init system, only the ones using systemd are impacted.
It looks like the AppArmor profiles generated by LXC may need an
update to work with the feature set update that I applied in the
4.1~* src:apparmor uploads
(https://salsa.debian.org/apparmor-team/apparmor/-/commit/71c0d1bfdd0556cb8466913d65ca4f6fced14b63).
Adding this rule should be sufficient:
userns,
I suspect Ubuntu has already hit this problem so hopefully it's fixed
upstream already?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list