NOTE: This bug will be fixed with an update to lxc. However, two AppArmor bugs (bug #1401619 and bug #1401621) were identified as a result of triaging this bug and they will both be fixed in upstream AppArmor.
When the file system is mounted as MS_SHARED by default (such as under systemd, or when the admin configures it so), things like schroot or LXC need to make their "guest" mounts private. This currently fails under utopic:
$ sudo lxc-create -t busybox -n c1
$ sudo mount --make-rshared /
$ sudo strace -fvvs1024 -e mount lxc-start -n c1
[...]
[pid 10749] mount(NULL, "/", NULL, MS_SLAVE, NULL) = -1 EACCES (Permission denied)
lxc-start: Permission denied - Failed to make / rslave
dmesg says:
audit: type=1400 audit(1406825005.687:551): apparmor="DENIED" operation="mo
unt" info="failed flags match" error=-13 profile="/usr/bin/lxc-start" name="/" pid=8228 co
mm="lxc-start" flags="rw, slave"
(This happens for all mount points on your system, I'm just showing the first one)
This will leave a couple of leaked mounts on your system. This is an useful rune to clean them up:
$ for i in 1 2 3; do sudo umount `mount|grep lxc|awk '{print $3}'`; done
(needs to be done several times; check with "mount |grep lxc" that it's clean)
I tried to allow that by adding this to /etc/apparmor.d/abstractions/lxc/start-container:
mount options=(rw, slave) -> **,
then reload the policy and rety with
$ sudo stop lxc; sudo start lxc; sudo lxc-start -n c1
(and again clean up the mounts with above rune)
I tried some variations of this, like
mount options in (rw, slave, rslave, shared, rshared) -> **,
but none of them worked. The only things that do work are one of
mount,
mount -> **,
but those are too lax to be an effective security restriction.
WORKAROUND
==========
(Attention: insecure! Don't use for production machines)
Add this to /etc/apparmor.d/abstractions/lxc/start-container:
mount,
ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: linux-image-3.16.0-6-generic 3.16.0-6.11
ProcVersionSignature: Ubuntu 3.16.0-6.11-generic 3.16.0-rc7
Uname: Linux 3.16.0-6-generic x86_64
ApportVersion: 2.14.5-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: martin 1665 F.... pulseaudio
CurrentDesktop: Unity
Date: Thu Jul 31 18:58:18 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2014-02-27 (154 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140224)
MachineType: LENOVO 2324CTO
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.16.0-6-generic.efi.signed root=UUID=a2b27321-0b55-44c9-af0d-6c939efa45ce ro quiet splash init=/lib/systemd/systemd crashkernel=384M-:128M vt.handoff=7
RelatedPackageVersions:
linux-restricted-modules-3.16.0-6-generic N/A
linux-backports-modules-3.16.0-6-generic N/A
linux-firmware 1.132
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/09/2013
dmi.bios.vendor: LENOVO
dmi.bios.version: G2ET95WW (2.55 )
dmi.board.asset.tag: Not Available
dmi.board.name: 2324CTO
dmi.board.vendor: LENOVO
dmi.board.version: 0B98401 Pro
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvrG2ET95WW(2.55):bd07/09/2013:svnLENOVO:pn2324CTO:pvrThinkPadX230:rvnLENOVO:rn2324CTO:rvr0B98401Pro:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 2324CTO
dmi.product.version: ThinkPad X230
dmi.sys.vendor: LENOVO
I tested this on trusty's 3.13.0-32, and the previous utopic 3.15.0-6, same result. So it's not a regression apparently; although I tried "mount options=(rw, slave) -> /" some weeks ago and it appeared to work, but apparently I did something weird back then which made it work, but I can't remember how any more.