© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
2eb648a
demo site
(Get the code!)
Problem #2 is a bug in procfs is breaking the snap-confine AppArmor profile and causing the following rule to not work as intended:
owner @{PROC}/*/mountinfo r,
procfs is incorrectly setting the uid and gid on its /proc/PID/* inodes that represent a setuid-
# Create a setuid-
tyhicks@host:~$ container_
tyhicks@host:~$ echo $container_root
296608
tyhicks@host:~$ sudo cp $(which sleep) /var/lib/
tyhicks@host:~$ sudo chown $container_
/var/
tyhicks@host:~$ sudo chmod u+s /var/lib/
# Run the setuid-sleep program as an unprivileged user inside the container.
# The procfs inodes for that process are incorrectly owned by init_ns root
tyhicks@host:~$ lxc exec yakkety -- su - ubuntu -c 'setuid-sleep 5m'
# From another host terminal
tyhicks@host:~$ sudo stat -c %u /proc/$(pidof setuid-
0
# Run the setuid-sleep program as root inside the container.
# The procfs inodes for that process are incorrectly owned by container_ns root
tyhicks@host:~$ lxc exec yakkety -- setuid-sleep 5m
# From another host terminal
tyhicks@host:~$ sudo stat -c %u /proc/$(pidof setuid-
296608
This explains the AppArmor denial from comment #3 containing "fsuid=296608 ouid=0". The setuid-
The procfs kernel bug needs to be fixed but, in the meantime, we can probably drop the "owner" conditional in the snap-confine profile.