Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory #3831

Closed
butterflyhack opened this issue Apr 18, 2023 · 1 comment
Closed

apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory #3831

butterflyhack opened this issue Apr 18, 2023 · 1 comment

Comments

@butterflyhack
Copy link

butterflyhack commented Apr 18, 2023
edited
Loading

Description

When I tried to start AppArmor in a container and configured "apparmorProfile": "usr.bin.tcpdump" in config.cfg, using /usr/bin/tcpdump as an example. When runc started the container, the following error occurred:
run commond is :

runc --debug create test

Error log:

DEBU[0000] nsexec[58596]: => nsexec container setup     
DEBU[0000] nsexec-0[58596]: ~> nsexec stage-0           
DEBU[0000] nsexec-0[58596]: spawn stage-1               
DEBU[0000] nsexec-0[58596]: -> stage-1 synchronisation loop 
DEBU[0000] nsexec-1[58600]: ~> nsexec stage-1           
DEBU[0000] nsexec-1[58600]: unshare remaining namespaces (except cgroupns) 
DEBU[0000] nsexec-1[58600]: spawn stage-2               
DEBU[0000] nsexec-1[58600]: request stage-0 to forward stage-2 pid (58601) 
DEBU[0000] nsexec-0[58596]: stage-1 requested pid to be forwarded 
DEBU[0000] nsexec-0[58596]: forward stage-1 (58600) and stage-2 (58601) pids to runc 
DEBU[0000] nsexec-1[58600]: signal completion to stage-0 
DEBU[0000] nsexec-2[1]: ~> nsexec stage-2               
DEBU[0000] nsexec-1[58600]: <~ nsexec stage-1           
DEBU[0000] nsexec-0[58596]: stage-1 complete            
DEBU[0000] nsexec-0[58596]: <- stage-1 synchronisation loop 
DEBU[0000] nsexec-0[58596]: -> stage-2 synchronisation loop 
DEBU[0000] nsexec-0[58596]: signalling stage-2 to run   
DEBU[0000] nsexec-2[1]: unshare cgroup namespace        
DEBU[0000] nsexec-2[1]: signal completion to stage-0    
DEBU[0000] nsexec-2[1]: <= nsexec container setup       
DEBU[0000] nsexec-2[1]: booting up go runtime ...       
DEBU[0000] nsexec-0[58596]: stage-2 complete            
DEBU[0000] nsexec-0[58596]: <- stage-2 synchronisation loop 
DEBU[0000] nsexec-0[58596]: <~ nsexec stage-0           
DEBU[0000] child process in init()                      
ERRO[0000]utils.go:62 main.fatalWithCode() runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory

I have already tried other solutions, but none of them worked. The AppArmor mechanism has been enabled on my system.
The config.cfg is below:

{
        "ociVersion": "1.1.0-rc.1",
        "process": {
                "terminal": false,
                "user": {
                        "uid": 0,
                        "gid": 0
                },
                "args": [
                        "sleep", "20"
                ],
                "env": [
                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                        "TERM=xterm"
                ],
                "cwd": "/",
                "capabilities": {
                        "bounding": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "effective": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "permitted": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ],
                        "ambient": [
                                "CAP_AUDIT_WRITE",
                                "CAP_KILL",
                                "CAP_NET_BIND_SERVICE"
                        ]
                },
                "rlimits": [
                        {
                                "type": "RLIMIT_NOFILE",
                                "hard": 1024,
                                "soft": 1024
                        }
                ],
                "noNewPrivileges": true,
                "apparmorProfile": "usr.bin.tcpdump"
        },
        "root": {
                "path": "rootfs",
                "readonly": true
        },
        "hostname": "runc",
        "mounts": [
                {
                        "destination": "/proc",
                        "type": "proc",
                        "source": "proc"
                },
                {
                        "destination": "/dev",
                        "type": "tmpfs",
                        "source": "tmpfs",
                        "options": [
                                "nosuid",
                                "strictatime",
                                "mode=755",
                                "size=65536k"
                        ]
                },
                {
                        "destination": "/dev/pts",
                        "type": "devpts",
                        "source": "devpts",
                        "options": [
                                "nosuid",
                                "noexec",
                                "newinstance",
                                "ptmxmode=0666",
                                "mode=0620",
                                "gid=5"
                        ]
                },
                {
                        "destination": "/dev/shm",
                        "type": "tmpfs",
                        "source": "shm",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "mode=1777",
                                "size=65536k"
                        ]
                },
                {
                        "destination": "/dev/mqueue",
                        "type": "mqueue",
                        "source": "mqueue",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev"
                        ]
                },
                {
                        "destination": "/sys",
                        "type": "sysfs",
                        "source": "sysfs",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "ro"
                        ]
                },
                {
                        "destination": "/sys/fs/cgroup",
                        "type": "cgroup",
                        "source": "cgroup",
                        "options": [
                                "nosuid",
                                "noexec",
                                "nodev",
                                "relatime",
                                "ro"
                        ]
                }
        ],
        "linux": {
                "resources": {
                        "devices": [
                                {
                                        "allow": false,
                                        "access": "rwm"
                                }
                        ]
                },
                "namespaces": [
                        {
                                "type": "pid"
                        },
                        {
                                "type": "network"
                        },
                        {
                                "type": "ipc"
                        },
                        {
                                "type": "uts"
                        },
                        {
                                "type": "mount"
                        },
                        {
                                "type": "cgroup"
                        }
                ],
                "maskedPaths": [
                        "/proc/acpi",
                        "/proc/asound",
                        "/proc/kcore",
                        "/proc/keys",
                        "/proc/latency_stats",
                        "/proc/timer_list",
                        "/proc/timer_stats",
                        "/proc/sched_debug",
                        "/sys/firmware",
                        "/proc/scsi"
                ],
                "readonlyPaths": [
                        "/proc/bus",
                        "/proc/fs",
                        "/proc/irq",
                        "/proc/sys",
                        "/proc/sysrq-trigger"
                ]
        }
}

the dmeg log:

[72627.952044] audit: type=1400 audit(1681798863.662:130): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 profile="unconfined" name="usr.bin.tcpdump" pid=53222 comm="runc:[2:INIT]"
[75074.887725] audit: type=1400 audit(1681801310.627:131): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 profile="unconfined" name="usr.bin.tcpdump" pid=56287 comm="runc:[2:INIT]"
[77078.499957] audit: type=1400 audit(1681803314.239:132): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 profile="unconfined" name="usr.bin.tcpdump" pid=58352 comm="runc:[2:INIT]"
[77509.219875] audit: type=1400 audit(1681803744.961:133): apparmor="DENIED" operation="change_onexec" class="file" info="label not found" error=-2 profile="unconfined" name="usr.bin.tcpdump" pid=58601 comm="runc:[2:INIT]"

I am not familiar with the AppArmor mechanism. If there is an issue with the AppArmor configuration, please point it out.
thanks

Steps to reproduce the issue

#mkdir /tmp/container/rootfs -p
#cd /tmp/container
#docker export $(docker create busybox) | tar -C rootfs -xvf -
#runc spec
#runc --debug create test

Describe the results you received and expected

DEBU[0000] nsexec[58596]: => nsexec container setup     
DEBU[0000] nsexec-0[58596]: ~> nsexec stage-0           
DEBU[0000] nsexec-0[58596]: spawn stage-1               
DEBU[0000] nsexec-0[58596]: -> stage-1 synchronisation loop 
DEBU[0000] nsexec-1[58600]: ~> nsexec stage-1           
DEBU[0000] nsexec-1[58600]: unshare remaining namespaces (except cgroupns) 
DEBU[0000] nsexec-1[58600]: spawn stage-2               
DEBU[0000] nsexec-1[58600]: request stage-0 to forward stage-2 pid (58601) 
DEBU[0000] nsexec-0[58596]: stage-1 requested pid to be forwarded 
DEBU[0000] nsexec-0[58596]: forward stage-1 (58600) and stage-2 (58601) pids to runc 
DEBU[0000] nsexec-1[58600]: signal completion to stage-0 
DEBU[0000] nsexec-2[1]: ~> nsexec stage-2               
DEBU[0000] nsexec-1[58600]: <~ nsexec stage-1           
DEBU[0000] nsexec-0[58596]: stage-1 complete            
DEBU[0000] nsexec-0[58596]: <- stage-1 synchronisation loop 
DEBU[0000] nsexec-0[58596]: -> stage-2 synchronisation loop 
DEBU[0000] nsexec-0[58596]: signalling stage-2 to run   
DEBU[0000] nsexec-2[1]: unshare cgroup namespace        
DEBU[0000] nsexec-2[1]: signal completion to stage-0    
DEBU[0000] nsexec-2[1]: <= nsexec container setup       
DEBU[0000] nsexec-2[1]: booting up go runtime ...       
DEBU[0000] nsexec-0[58596]: stage-2 complete            
DEBU[0000] nsexec-0[58596]: <- stage-2 synchronisation loop 
DEBU[0000] nsexec-0[58596]: <~ nsexec stage-0           
DEBU[0000] child process in init()                      
ERRO[0000]utils.go:62 main.fatalWithCode() runc create failed: unable to start container process: error during container init: unable to apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/apparmor/exec: no such file or directory

What version of runc are you using?

runc version 1.1.0+dev
commit: v1.1.0-491-gd8a3daac
spec: 1.1.0-rc.1
go: go1.19.5
libseccomp: 2.5.3

Host OS information

PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Host kernel information

Linux adlab-fuzz 5.19.0-38-generic #39~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 17 21:16:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
@kolyshkin
Copy link
Contributor

@butterflyhack for the sake of future software archeologists looking at this bug, can you describe the solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolyshkin @butterflyhack