lxc-start tries to change apparmor profile to unconfined

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks for reporting this bug. Unfortunately it is rather hard to artificially reproduce as it requires just the right conditions on the stack. That'll make SRU justification harder, but I'll go ahead and push a proposal as it's important.

This bug was fixed in the package lxc - 0.9.0-0ubuntu23

---------------
lxc (0.9.0-0ubuntu23) saucy; urgency=low

  * 0014-lxc-apparmor-null-terminate-buffer: make sure a value we fread is
    null-terminated (LP: #1215386)
  * 0015-fix-ipv6-pton: call inet_pton on the value without the netmask.
    (LP: #1215391)
 -- Serge Hallyn <email address hidden> Fri, 23 Aug 2013 11:39:55 -0500

Hello Andre, or anyone else affected,

Accepted lxc into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.9.0-0ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hi

The issue is still not fixed with the patch. While there's no more garbage in the buffer that stores the apparmor profile read from /proc, that data is still terminated by a "\n", (ie., the profile is returned as, eg. "unconfined\n" instead of "unconfined"). This causes comparisons with the "unconfined" string further in the code to fail.

Hi Andre,

the test case in the bug description is passing for me. Can you please tell me exactly what you do to reproduce this, if possible starting from a clean install?

Based on your comment I thought it might be that you had disabled /etc/apparmor.d/usr.bin.lxc-start, but even doing that I'm still able to start a container which has lxc.aa_profile = unconfined

You are correct, the error I'm seeing comes from the fact that I have this line on the container's fstab:

  proc /var/lib/lxc/test/rootfs/proc proc ro,nodev,noexec,nosuid 0 0

That is, I was trying to mount /proc as read-only in the container. This works for me in 12.04 but not in 13.04.

Just to confirm, the bug wrt the apparmor profile is indeed fixed.

Quoting Andre Nathan (<email address hidden>):
> You are correct, the error I'm seeing comes from the fact that I have
> this line on the container's fstab:
>
> proc /var/lib/lxc/test/rootfs/proc proc ro,nodev,noexec,nosuid 0 0
>
> That is, I was trying to mount /proc as read-only in the container. This
> works for me in 12.04 but not in 13.04.

Thank you - to make sure I understand, do you also have
/etc/apparmor.d/usr.bin.lxc-start disabled? If you do,
then when the container starts it is already undefined,
then lxc is supposed to detect that it is already
unconfined and not transition at all. But if you have
the lxc-start profile still enabled, then the container is
started while in the lxc-start profile, and a transition
is required (requiring read-write proc).

So if it is failing for you with /etc/apparmor.d/usr.bin.lxc-start
disabled, then let's open a new bug for that and I'll fix that in
a separate SRU.

I tried it with /etc/apparmor.d/usr.bin.lxc-start both enabled and disabled, and also with and without lxc.aa_profile = unconfined in the configuration file and all tests worked fine in the four possible combinations of those settings.

This bug was fixed in the package lxc - 0.9.0-0ubuntu3.5

---------------
lxc (0.9.0-0ubuntu3.5) raring-proposed; urgency=low

  * 0014-lxc-apparmor-null-terminate-buffer: make sure a value we fread is
    null-terminated (LP: #1215386)
  * 0015-fix-ipv6-pton: call inet_pton on the value without the netmask.
    (LP: #1215391)
 -- Serge Hallyn <email address hidden> Fri, 23 Aug 2013 11:38:57 -0500

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.