[pkg-lxc-devel] Bug#1033917: lxc: apparmor profile no longer allows unprivileged guest systemd-logind to start (since bookworm)

Forest forestix at sonic.net
Mon Apr 3 22:18:10 BST 2023 

Package: lxc
Version: 1:5.0.2-1
Severity: normal
X-Debbugs-Cc: forestix at sonic.net

Dear Maintainer,

After upgrading an unprivileged container from bullseye to bookworm, LXC's
AppArmor profiles are no longer sufficient for the guest's systemd-logind.

This manifests as a 25 second hang when running certain commands (notably
sudo -i and su -) in the container. It also produces a lot of errors in the
host & guest logs.

Before the upgrade to bookworm, the hangs did not occur, and systemd-logind
started without trouble.


-- Host journal:

Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Apr 02 18:30:01 debtesting CRON[6362]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)
Apr 02 18:30:01 debtesting CRON[6361]: pam_unix(cron:session): session closed for user root
Apr 02 18:30:16 debtesting audit[6365]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting kernel: kauditd_printk_skb: 13 callbacks suppressed
Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.414:324): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6365 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting audit[6369]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.426:325): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6369 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting audit[6373]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.450:326): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6373 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting audit[6377]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.522:327): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6377 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting audit[6381]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave"
Apr 02 18:30:16 debtesting kernel: audit: type=1400 audit(1680485416.534:328): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6381 comm="(d-logind)" flags="rw, rslave"


-- Guest journal:

Apr 02 18:30:16 lxbox sudo[136]:     root : TTY=pts/7 ; PWD=/root ; USER=root ; COMMAND=/bin/bash
Apr 02 18:30:16 lxbox sudo[136]: pam_limits(sudo-i:session): Could not set limit for 'core' to soft=0, hard=-1: Operation not permitted; uid=0,euid=0
Apr 02 18:30:16 lxbox sudo[136]: pam_unix(sudo-i:session): session opened for user root(uid=0) by (uid=0)
Apr 02 18:30:16 lxbox dbus-daemon[97]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' requested by ':1.2' (uid=0 pid=136 comm="sudo -i")
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox (modprobe)[137]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
Apr 02 18:30:16 lxbox (d-logind)[138]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 1.
Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox (modprobe)[141]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
Apr 02 18:30:16 lxbox (d-logind)[142]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 2.
Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox (modprobe)[145]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
Apr 02 18:30:16 lxbox (d-logind)[146]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 3.
Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox (modprobe)[149]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
Apr 02 18:30:16 lxbox (d-logind)[150]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 4.
Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox (modprobe)[153]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: Starting systemd-logind.service - User Login Management...
Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed to set up mount namespacing: Permission denied
Apr 02 18:30:16 lxbox (d-logind)[154]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Scheduled restart job, restart counter is at 5.
Apr 02 18:30:16 lxbox systemd[1]: Stopped systemd-logind.service - User Login Management.
Apr 02 18:30:16 lxbox systemd[1]: Starting modprobe at drm.service - Load Kernel Module drm...
Apr 02 18:30:16 lxbox (modprobe)[157]: modprobe at drm.service: Executable /sbin/modprobe missing, skipping: No such file or directory
Apr 02 18:30:16 lxbox systemd[1]: modprobe at drm.service: Deactivated successfully.
Apr 02 18:30:16 lxbox systemd[1]: Finished modprobe at drm.service - Load Kernel Module drm.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Start request repeated too quickly.
Apr 02 18:30:16 lxbox systemd[1]: systemd-logind.service: Failed with result 'exit-code'.
Apr 02 18:30:16 lxbox systemd[1]: Failed to start systemd-logind.service - User Login Management.
Apr 02 18:30:41 lxbox dbus-daemon[97]: [system] Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
Apr 02 18:30:41 lxbox sudo[136]: pam_systemd(sudo-i:session): Failed to create session: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)


-- Guest busctl monitor output:

Type=method_call  Endian=l  Flags=0  Version=1 Cookie=1  Timestamp="Mon 2023-04-03 01:30:16.386617 UTC"
  Sender=:1.2  Destination=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=Hello
  UniqueName=:1.2
  MESSAGE "" {
  };

Type=method_return  Endian=l  Flags=1  Version=1 Cookie=1  ReplyCookie=1  Timestamp="Mon 2023-04-03 01:30:16.386790 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.2
  MESSAGE "s" {
          STRING ":1.2";
  };

Type=signal  Endian=l  Flags=1  Version=1 Cookie=5  Timestamp="Mon 2023-04-03 01:30:16.386806 UTC"
  Sender=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameOwnerChanged
  MESSAGE "sss" {
          STRING ":1.2";
          STRING "";
          STRING ":1.2";
  };

Type=signal  Endian=l  Flags=1  Version=1 Cookie=2  Timestamp="Mon 2023-04-03 01:30:16.386820 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.2  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameAcquired
  MESSAGE "s" {
          STRING ":1.2";
  };

Type=signal  Endian=l  Flags=1  Version=1 Cookie=12  Timestamp="Mon 2023-04-03 01:30:16.392000 UTC"
  Sender=org.freedesktop.DBus  Destination=org.freedesktop.systemd1  Path=/org/freedesktop/DBus  Interface=org.freedesktop.systemd1.Activator  Member=ActivationRequest
  MESSAGE "s" {
          STRING "dbus-org.freedesktop.login1.service";
  };

Type=method_call  Endian=l  Flags=0  Version=1 Cookie=2  Timestamp="Mon 2023-04-03 01:30:16.392080 UTC"
  Sender=:1.2  Destination=org.freedesktop.login1  Path=/org/freedesktop/login1  Interface=org.freedesktop.login1.Manager  Member=CreateSession
  UniqueName=:1.2
  MESSAGE "uusssssussbssa(sv)" {
          UINT32 0;
          UINT32 0;
          STRING "sudo-i";
          STRING "x11";
          STRING "user";
          STRING "KDE";
          STRING "seat0";
          UINT32 7;
          STRING "pts/7";
          STRING "";
          BOOLEAN false;
          STRING "root";
          STRING "";
          ARRAY "(sv)" {
          };
  };

Type=error  Endian=l  Flags=1  Version=1 Cookie=3  ReplyCookie=2  Timestamp="Mon 2023-04-03 01:30:41.416860 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.2
  ErrorName=org.freedesktop.DBus.Error.TimedOut  ErrorMessage="Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)"
  MESSAGE "s" {
          STRING "Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)";
  };

Type=signal  Endian=l  Flags=1  Version=1 Cookie=6  Timestamp="Mon 2023-04-03 01:30:41.417026 UTC"
  Sender=org.freedesktop.DBus  Destination=:1.2  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameLost
  MESSAGE "s" {
          STRING ":1.2";
  };

Type=signal  Endian=l  Flags=1  Version=1 Cookie=7  Timestamp="Mon 2023-04-03 01:30:41.417043 UTC"
  Sender=org.freedesktop.DBus  Path=/org/freedesktop/DBus  Interface=org.freedesktop.DBus  Member=NameOwnerChanged
  MESSAGE "sss" {
          STRING ":1.2";
          STRING ":1.2";
          STRING "";
  };


-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]        1.5.82
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  iproute2                     6.1.0-2
ii  libapparmor1                 3.0.8-3
ii  libc6                        2.36-8
ii  libcap2                      1:2.66-3
ii  libgcc-s1                    12.2.0-14
ii  liblxc-common                1:5.0.2-1
ii  liblxc1                      1:5.0.2-1
ii  libseccomp2                  2.5.4-1+b3
ii  libselinux1                  3.4-1+b5
ii  nftables                     1.0.6-2
ii  sysvinit-utils [lsb-base]    3.06-2

Versions of packages lxc recommends:
ii  apparmor       3.0.8-3
ii  debootstrap    1.0.128+nmu2
ii  dirmngr        2.2.40-1.1
ii  gnupg          2.2.40-1.1
ii  libpam-cgfs    1:5.0.2-1
ii  lxc-templates  3.0.4.48.g4765da8-1
ii  lxcfs          5.0.3-1
ii  openssl        3.0.8-1
ii  rsync          3.2.7-1
ii  uidmap         1:4.13+dfsg1-1+b1
ii  wget           1.21.3-1+b2

Versions of packages lxc suggests:
pn  btrfs-progs  <none>
pn  lvm2         <none>
pn  python3-lxc  <none>

-- debconf information excluded

More information about the Pkg-lxc-devel mailing list