Ubuntu
golang-github-containers-common package

Merge ~virtustom/ubuntu/+source/golang-github-containers-common:apparmor-crun-fix into ubuntu/+source/golang-github-containers-common:applied/ubuntu/noble-devel

  1. Git
  2. lp:~virtustom/ubuntu/+source/golang-github-containers-common
  3. apparmor-crun-fix
  4. Merge into applied/ubuntu/noble-devel
Proposed by Tomáš Virtus
Status: Needs review
Proposed branch: ~virtustom/ubuntu/+source/golang-github-containers-common:apparmor-crun-fix
Merge into: ubuntu/+source/golang-github-containers-common:applied/ubuntu/noble-devel
Diff against target: 106 lines (+76/-1)
4 files modified
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch (+66/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Pending
git-ubuntu import Pending
Review via email: mp+465117@code.launchpad.net

Commit message

Fix #2040483 ("AppArmor denies crun sending signals to containers (stop, kill)")

To post a comment you must log in.

Unmerged commits

701bc31... by Tomáš Virtus

Update changelog

64a72a8... by Tomáš Virtus

update-maintainer

377bff5... by Tomáš Virtus

Fix #2040483 ("AppArmor denies crun sending signals to containers (stop, kill)")

This makes projects using AppArmor bits from
golang-github-containers-common (notably podman) work with AppArmor
v4.0.0.

There is a similar issue with containerd clients and docker. The fix was
merged to the containerd upstream[1]. The fix to moby (docker) was
submitted but seems to have stalled[2]. Upstream notes we should fix
regressions we introduced in Ubuntu or perhaps at least introduce a
generic way to refer to OCI runtimes under a single peer name. I suspect
we would get similar objections in containers/common. That's why I
haven't yet submitted the patch to the upstream.

In the meantime, patch this library so that podman can work with OCI
runtimes we currently confine.

[1] https://github.com/containerd/containerd/pull/10123
[2] https://github.com/moby/moby/pull/47749

Bug: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 9b766fe..725593d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+golang-github-containers-common (0.57.4+ds1-2ubuntu0.1) noble; urgency=medium
7+
8+ * d/p/apparmor-Allow-confined-runc-crun-to-kill-containers.patch:
9+ fix podman running with AppArmor v4.0.0 profiles (LP: #2040483)
10+
11+ -- Tomáš Virtus <tomas.virtus@canonical.com> Sun, 28 Apr 2024 21:12:37 +0000
12+
13 golang-github-containers-common (0.57.4+ds1-2) unstable; urgency=medium
14
15 * Upload to unstable
16diff --git a/debian/control b/debian/control
17index 8f639ee..128f8f3 100644
18--- a/debian/control
19+++ b/debian/control
20@@ -1,5 +1,6 @@
21 Source: golang-github-containers-common
22-Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
23+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
24+XSBC-Original-Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
25 Uploaders: Reinhard Tartler <siretart@tauware.de>
26 Section: golang
27 Testsuite: autopkgtest-pkg-go
28diff --git a/debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch b/debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch
29new file mode 100644
30index 0000000..fa8af74
31--- /dev/null
32+++ b/debian/patches/apparmor-Allow-confined-runc-crun-to-kill-containers.patch
33@@ -0,0 +1,66 @@
34+From 4e85b17f1adb47d3de3b348f707d785b1ec4900c Mon Sep 17 00:00:00 2001
35+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Virtus?= <nechtom@gmail.com>
36+Date: Sun, 28 Apr 2024 22:17:12 +0200
37+Subject: [PATCH] apparmor: Allow confined runc/crun to kill containers
38+MIME-Version: 1.0
39+Content-Type: text/plain; charset=UTF-8
40+Content-Transfer-Encoding: 8bit
41+Origin: https://github.com/woky/common/commit/4e85b17f1adb47d3de3b348f707d785b1ec4900c
42+Forwarded: no
43+
44+AppArmor v4.0.0 introduced runc and crun profiles for /usr/sbin/runc and
45+/usr/bin/crun respectively[1]. This change breaks stopping of
46+containers, because the built-in profile assigned to containers doesn't
47+accept signals from runc and crun peers. AppArmor >= v4.0.0 is currently
48+part of Ubuntu Mantic (23.10) and later.
49+
50+The issue is reproducible when podman is run with privileges to load new
51+AppArmor profiles (e.g. as root):
52+
53+ Test commands:
54+
55+ root@cloudimg:~# podman run -d --name foo docker.io/library/nginx:latest
56+ 1859ea952f6bfb90cc42a57e128d9a2fd7a134e3fbbbe0c22a57bf1b37468cd0
57+ root@cloudimg:~# podman stop foo
58+ WARN[0010] StopSignal SIGQUIT failed to stop container foo in 10 seconds, resorting to SIGKILL
59+ Error: given PID did not die within timeout
60+
61+ AppArmor denial in syslog (with long lines wrapped):
62+
63+ Apr 28 20:26:49 cloudimg kernel: audit:
64+ type=1400 audit(1714336009.026:112): apparmor="DENIED"
65+ operation="signal" class="signal"
66+ profile="containers-default-0.57.4" pid=2553 comm="3"
67+ requested_mask="receive" denied_mask="receive" signal=quit
68+ peer="crun"
69+
70+This change extends the default profile with rules that allow receiving
71+signals from processes that run confined with either runc or crun
72+profile. It is backward compatible because the peer value is a regular
73+expression (AARE) so the referenced profile doesn't have to exist for
74+this profile to successfully compile and load.
75+
76+[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
77+
78+Signed-off-by: Tomáš Virtus <nechtom@gmail.com>
79+---
80+ pkg/apparmor/apparmor_linux_template.go | 3 +++
81+ 1 file changed, 3 insertions(+)
82+
83+diff --git a/pkg/apparmor/apparmor_linux_template.go b/pkg/apparmor/apparmor_linux_template.go
84+index b8212542..d1ac2780 100644
85+--- a/pkg/apparmor/apparmor_linux_template.go
86++++ b/pkg/apparmor/apparmor_linux_template.go
87+@@ -21,6 +21,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
88+ # Allow signals from privileged profiles and from within the same profile
89+ signal (receive) peer=unconfined,
90+ signal (send,receive) peer={{.Name}},
91++ # Allow signals from OCI runtimes (runc and crun)
92++ signal (receive) peer=runc,
93++ signal (receive) peer=crun,
94+ {{end}}
95+
96+ deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
97+--
98+2.44.0
99+
100diff --git a/debian/patches/series b/debian/patches/series
101index 4a8c2a8..c8df38f 100644
102--- a/debian/patches/series
103+++ b/debian/patches/series
104@@ -1 +1,2 @@
105 fix-apparmor-parsing.patch
106+apparmor-Allow-confined-runc-crun-to-kill-containers.patch

Subscribers

People subscribed via source and target branches