[pkg-lxc-devel] Bug#995350: lxc: apparmor profile denies systemd.logind mounts inside privileged containers

Andreas Feldner pelzi at flying-snail.de
Thu Sep 30 08:41:31 BST 2021 

Package: lxc
Version: 1:4.0.10-1
Severity: important

Dear Maintainer,

running lxc containers with debian template privileged leads to failure of
systemd.logind in each container.
In the host, the following is repeatedly showing up in the syslog (line
breaks and indentation inserted):
  apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
     profile="lxc-container-default-with-nesting" 
     name="/run/systemd/unit-root/" pid=228162 comm="(d-logind)" 
     srcname="/" flags="rw, rbind"

Obviously, the pid is varying.

Inside the containers, systemd-logind shows as failing:

Sep 30 07:37:05 xxxxxx systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 5.
Sep 30 07:37:05 xxxxxx systemd[1]: Stopped User Login Management.
Sep 30 07:37:05 xxxxxx systemd[1]: systemd-logind.service: Start request repeated too quickly.
Sep 30 07:37:05 xxxxxx systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Sep 30 07:37:05 xxxxxx systemd[1]: Failed to start User Login Management.

I understand that systemd-logind introduced such mounts to protect parts of the (container)
system from potential vulnerabilites or malfunctions of services. I'd expect
apparmor to grant these mounts.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  bridge-utils                 1.7-1
ii  debconf [debconf-2.0]        1.5.77
ii  dnsmasq-base [dnsmasq-base]  2.85-1
ii  iproute2                     5.14.0-1
ii  iptables                     1.8.7-1
ii  libc6                        2.32-4
ii  libcap2                      1:2.44-1
ii  libgcc-s1                    11.2.0-7
ii  liblxc1                      1:4.0.10-1
ii  libseccomp2                  2.5.1-1
ii  libselinux1                  3.1-3
ii  lsb-base                     11.1.0

Versions of packages lxc recommends:
ii  apparmor       3.0.3-2
ii  debootstrap    1.0.123
ii  dirmngr        2.2.27-2
ii  gnupg          2.2.27-2
ii  libpam-cgfs    1:4.0.10-1
ii  lxc-templates  3.0.4-5
ii  lxcfs          4.0.7-1
ii  openssl        1.1.1l-1
ii  rsync          3.2.3-8
ii  uidmap         1:4.8.1-1
ii  wget           1.21-1+b1

Versions of packages lxc suggests:
pn  btrfs-progs  <none>
ii  lvm2         2.03.11-2.1
ii  python3-lxc  1:3.0.4-1+b4

-- Configuration Files:
/etc/default/lxc-net changed:
USE_LXC_BRIDGE="false"

/etc/lxc/lxc.conf changed:
lxcpath=/var/lib/lxc


-- debconf information:
  lxc/auto_update_config:
  lxc/shutdown: stop
  lxc/directory: /var/lib/lxc
  lxc/title:
  lxc/auto: true

More information about the Pkg-lxc-devel mailing list