[pkg-lxc-devel] Bug#993391: lxc: Unprivileged lxc example from README.Debian.gz gives AppArmor error "Failed to mount proc"

Pierre-Elliott Bécue peb at debian.org
Wed Sep 1 11:12:53 BST 2021 

Control: tags -1 +moreinfo

Le mardi 31 août 2021 à 18:44:19+0200, pk1 a écrit :
> Package: lxc
> Version: 1:4.0.6-2
> Severity: important
> X-Debbugs-Cc: pkoroau+bts at gmail.com
> 
> Dear Maintainer,
> 
> 
> On a pristine Debian 11 install, the example from "Unprivileged containers"
> section of /usr/share/doc/lxc/README.Debian.gz gives "Failed to mount proc"
> with an AppArmor error in dmesg, but lxc.apparmor.profile is unconfined.
> 
> reportbug said to test unstable's lxc 1:4.0.10-1, but that also fails with
> a different error message.
> 
> 
> $  cat test_config 
>   lxc.idmap = u 0 100000 65536
>   lxc.idmap = g 0 100000 65536
>   lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
>   lxc.apparmor.profile = unconfined
> 
> $   systemd-run --scope --quiet --user --property=Delegate=yes    lxc-start --logfile /dev/stderr -f test_config -n machine
> lxc-start machine 20210830065007.367 ERROR    utils - utils.c:safe_mount:1204 - Permission denied - Failed to mount "proc" onto "/proc"
> lxc-start machine 20210830065007.367 ERROR    conf - conf.c:lxc_mount_auto_mounts:681 - Permission denied - Failed to mount "proc" on "/proc" with flags 14
> lxc-start machine 20210830065007.367 ERROR    conf - conf.c:lxc_setup:3330 - Failed to setup first automatic mounts
> lxc-start machine 20210830065007.367 ERROR    start - start.c:do_start:1218 - Failed to setup container "machine"
> [snip]
> 
> # dmesg | tail
> [snip unrelated]
> [ 2127.458104] audit: type=1400 audit(1630306207.363:40): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/proc/" pid=3286 comm="lxc-start" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

I am unable to reproduce your bug on a vanilla Debian 11 or unstable
system.

Please print the output of "sysctl kernel.unprivileged_userns_clone"

Please also follow all instructions of the readme file, and give me a
feedback.

Regards,

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20210901/b780a80a/attachment.sig>

More information about the Pkg-lxc-devel mailing list