[pkg-lxc-devel] Bug#958158: lxc: lsm/apparmor.c: make_apparmor_namespace: 845 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-buster-unpriv_<-home-ryutaroh-.local-share-lxc>

Ryutaroh Matsumoto ryutaroh at ict.e.titech.ac.jp
Sun Apr 19 08:05:01 BST 2020 

Package: lxc
Version: 1:4.0.2-1~1
Severity: normal

Dear Maintainer,

Thank you very much for packaging LXC 4.0.2.

I created guest Linux with
lxc-create -B btrfs -t download -- -d debian -r buster -a amd64
I was able to use LXC 4.0.2 with

* priviledged container started by root
* unprivileged container started by root.

on Debian Bullseye host in pure CGroupV2 (systemd.unified_cgroup_hierarchy=1).

But when a non-root user runs "lxc-execute" or "lxc-start",
I get an AppArmor error as below.

Script started on 2020-04-19 15:36:36+09:00 [TERM="linux" TTY="/dev/tty2" COLUMNS="128" LINES="48"]
ryutaroh at bullseye-qemu:~$ systemd-run --user --scope -p "Delegate=yes" lxc-execute -n buster-unpriv -- /bin/bash
Running scope as unit: run-ra950d6a0aaf94fd28f2153e0958e4293.scope
lxc-execute: buster-unpriv: lsm/apparmor.c: make_apparmor_namespace: 845 Permission denied - Error creating AppArmor namespace: /sys/kernel/security/apparmor/policy/namespaces/lxc-buster-unpriv_<-home-ryutaroh-.local-share-lxc>
lxc-execute: buster-unpriv: lsm/apparmor.c: apparmor_prepare: 1064 Failed to load generated AppArmor profile
lxc-execute: buster-unpriv: start.c: lxc_init: 845 Failed to initialize LSM
lxc-execute: buster-unpriv: start.c: __lxc_start: 1898 Failed to initialize container "buster-unpriv"
lxc-execute: buster-unpriv: tools/lxc_execute.c: main: 226 Failed run an application inside container
ryutaroh at bullseye-qemu:~$ exit
exit

Script done on 2020-04-19 15:37:39+09:00 [COMMAND_EXIT_CODE="1"]

The above error can be worked around by adding
lxc.apparmor.profile = unconfined
to the config file of a container.

I suspect that this is the same as the upstream issue reported at
https://github.com/lxc/lxc/issues/3371
but I am unsure. So I do not attach the upstream tag.

I do not think this is related to pure CGroupV2.

Best regards, Ryutaroh Matsumoto



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]  1.5.73
ii  libc6                  2.30-4
ii  libgcc-s1              10-20200411-1
ii  liblxc1                1:4.0.2-1~1
ii  lsb-base               11.1.0

Versions of packages lxc recommends:
ii  apparmor                     2.13.4-1+b1
ii  bridge-utils                 1.6-2
pn  debootstrap                  <none>
ii  dirmngr                      2.2.20-1
ii  dnsmasq-base [dnsmasq-base]  2.80-1.1
ii  gnupg                        2.2.20-1
ii  iproute2                     5.5.0-1
ii  iptables                     1.8.4-3
pn  libpam-cgfs                  <none>
pn  lxc-templates                <none>
pn  lxcfs                        <none>
ii  openssl                      1.1.1f-1
pn  rsync                        <none>
ii  uidmap                       1:4.8.1-1

Versions of packages lxc suggests:
ii  btrfs-progs  5.6-1
pn  lvm2         <none>
pn  python3-lxc  <none>

-- debconf information:
  lxc/auto_update_config:

More information about the Pkg-lxc-devel mailing list