incusd/apparmor/lxc: Don't bother with sys/proc protections when nest…#2624
incusd/apparmor/lxc: Don't bother with sys/proc protections when nest…#2624
Conversation
…ing enabled When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys. On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't. Closes lxc#2623 Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
|
I was trying out this fix. I have Ubuntu Noble. I checked the lts, stable and noble suites and all of them only contain version 6.0.5 which I think does not contain this fix? |
|
Sorry, total noob here. I am using LXCs on TrueNAS (which uses Incus). Previously had ptero set up and working. Had to rebuild it, and now I see that there is this issue with LXCs ... do we know if there will be a fix any time soon? Thanks so much. |
|
@hamboosh478 that's up to the TrueNAS team. We don't control what version of Incus and what fixes get backported by specific distributions. |
|
Right, thanks. One last question: Is this a bug stemming from the specific incus version? And if not then what is the source? |
|
@Thomas-Langford I think you should look at this: opencontainers/runc#4968 |
|
Is this fix coming to the Incus 6.0.x LTS? My setup also got broken. |
|
We'll be tagging 6.0.6 LTS in the next 2-3 weeks, but whether distros pick it up and when is completely up to them. |
|
Sorry for a real late question but we're currently still facing an issue with incus and exactly this topic. First of all we had simple lxc running and fixed the problems with the apparmor profile of each lxc container itself. Right now we are migrating to incus (which works pretty well currently) but nesting a docker container within the incus container causes exactly the same problems. We're using the zabbly daily packages and are currently on version 6.21. Is there anything else we need to consider @stgraber ? Thanks in advance for the help!!! |
|
@StefHeitzer did you set |
Works like a charm! Put the setting within a profile and now everything works fine! Thanks a lot @stgraber |
7 participants
…ing enabled
When nesting is enabled, it's possible for the container to get a clean copy of /proc or /sys mounted anywhere without AppArmor being able to mediate. So there's little point in trying to apply safety checks on top of the main /proc and /sys.
On top of that, we've recently discovered that AppArmor doesn't properly handle file access relative to a file descriptor, causing a bunch of those checks to deny access when they shouldn't.
Closes #2623