Skip to content

logind: fix /run/user/$UID creation in apparmor-confined containers#4154

Merged
evverx merged 2 commits intosystemd:masterfrom
liskin:fix-apparmored-docker
Sep 15, 2016
Merged

logind: fix /run/user/$UID creation in apparmor-confined containers#4154
evverx merged 2 commits intosystemd:masterfrom
liskin:fix-apparmored-docker

Conversation

@liskin
Copy link
Contributor

@liskin liskin commented Sep 15, 2016

When a docker container is confined with AppArmor and happens to run on top of a kernel that supports mount mediation, e.g. any Ubuntu kernel, mount(2) returns EACCES instead of EPERM. This then leads to:

systemd-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied
login[42]: pam_systemd(login:session): Failed to create session: Access denied

and user sessions don't start.

At first I thought that this surely is a problem on AppArmor's side, but reading linux/security/selinux/{hooks,avc}.c gives me a feeling that selinux would return EACCES, too. Unfortunately I don't know enought about selinux to verify that myself.

When a docker container is confined with AppArmor [1] and happens to run
on top of a kernel that supports mount mediation [2], e.g. any Ubuntu
kernel, mount(2) returns EACCES instead of EPERM.  This then leads to:

    systemd-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied
    login[42]: pam_systemd(login:session): Failed to create session: Access denied

and user sessions don't start.

At first I thought that this surely is a problem on AppArmor's side, but
reading linux/security/selinux/{hooks,avc}.c gives me a feeling that
selinux would return EACCES, too.  Unfortunately I don't know enought
about selinux to verify that myself.

[1] https://github.com/docker/docker/blob/master/docs/security/apparmor.md#understand-the-policies
[2] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/kernel-patches/4.7/0025-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
@evverx evverx added the login label Sep 15, 2016
@evverx
Copy link
Contributor

evverx commented Sep 15, 2016

gives me a feeling that selinux would return EACCES

Right

3408 [001]  5031.035007: probe:selinux_mount: (ffffffff813d1d20 <- ffffffff813c7da7) arg1=0xfffffff3

AVC avc:  denied  { mounton } for  pid=3408

@liskin , shouldn't we fix this comment too?

                     /* Lacking permissions, maybe
                      * CAP_SYS_ADMIN-less container? In this case,
                      * just use a normal directory. */

@liskin
Copy link
Contributor Author

liskin commented Sep 15, 2016

Well it's not too far off, it's CAP_SYS_ADMIN-less anyway, but selinux/apparmor happens to reject it sooner. But we can mention it there, yeah. Something like:

                    /* Lacking permissions, maybe
                     * CAP_SYS_ADMIN-less container or security policy?
                     * In this case, just use a normal directory. */

Shall I update the commit?

@evverx
Copy link
Contributor

evverx commented Sep 15, 2016

Oh, I think we should remove that comment :-)
Let's

log_debug_errno(errno, "Failed to mount per-user tmpfs directory, assuming containerized execution, ignoring: %m");

or so
(Similar to

if (r == -EPERM || r == -EACCES) {
)

Does it make sense?

…ainers

commit msg update, drop:

    At first I thought that this surely is a problem on AppArmor's side, but
    reading linux/security/selinux/{hooks,avc}.c gives me a feeling that
    selinux would return EACCES, too.  Unfortunately I don't know enought
    about selinux to verify that myself.

add:

    This also applies to selinux that too returns EACCES on mount denial.
@liskin
Copy link
Contributor Author

liskin commented Sep 15, 2016

That's better indeed. It didn't occur to me that a similar thing has already been dealt with elsewhere. :-)

@evverx evverx merged commit 7dabbb5 into systemd:master Sep 15, 2016
@evverx
Copy link
Contributor

evverx commented Sep 15, 2016

@liskin , thanks!

@evverx
Copy link
Contributor

evverx commented Sep 15, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Development

Successfully merging this pull request may close these issues.

2 participants