logind: fix /run/user/$UID creation in apparmor-confined containers#4154
Merged
evverx merged 2 commits intosystemd:masterfrom Sep 15, 2016
liskin:fix-apparmored-docker
Merged
logind: fix /run/user/$UID creation in apparmor-confined containers#4154evverx merged 2 commits intosystemd:masterfrom liskin:fix-apparmored-docker
evverx merged 2 commits intosystemd:masterfrom
liskin:fix-apparmored-docker
Conversation
When a docker container is confined with AppArmor [1] and happens to run
on top of a kernel that supports mount mediation [2], e.g. any Ubuntu
kernel, mount(2) returns EACCES instead of EPERM. This then leads to:
systemd-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied
login[42]: pam_systemd(login:session): Failed to create session: Access denied
and user sessions don't start.
At first I thought that this surely is a problem on AppArmor's side, but
reading linux/security/selinux/{hooks,avc}.c gives me a feeling that
selinux would return EACCES, too. Unfortunately I don't know enought
about selinux to verify that myself.
[1] https://github.com/docker/docker/blob/master/docs/security/apparmor.md#understand-the-policies
[2] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/kernel-patches/4.7/0025-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
Contributor
Right 3408 [001] 5031.035007: probe:selinux_mount: (ffffffff813d1d20 <- ffffffff813c7da7) arg1=0xfffffff3
AVC avc: denied { mounton } for pid=3408@liskin , shouldn't we fix this comment too?
|
Contributor
Author
|
Well it's not too far off, it's CAP_SYS_ADMIN-less anyway, but selinux/apparmor happens to reject it sooner. But we can mention it there, yeah. Something like: Shall I update the commit? |
Contributor
|
Oh, I think we should remove that comment :-) log_debug_errno(errno, "Failed to mount per-user tmpfs directory, assuming containerized execution, ignoring: %m");or so Line 2021 in d347d90 Does it make sense? |
…ainers
commit msg update, drop:
At first I thought that this surely is a problem on AppArmor's side, but
reading linux/security/selinux/{hooks,avc}.c gives me a feeling that
selinux would return EACCES, too. Unfortunately I don't know enought
about selinux to verify that myself.
add:
This also applies to selinux that too returns EACCES on mount denial.
Contributor
Author
|
That's better indeed. It didn't occur to me that a similar thing has already been dealt with elsewhere. :-) |
Contributor
|
@liskin , thanks! |
Contributor
|
@martinpitt , I'm not seeing the So, I've run these test manually. Tests passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a docker container is confined with AppArmor and happens to run on top of a kernel that supports mount mediation, e.g. any Ubuntu kernel, mount(2) returns EACCES instead of EPERM. This then leads to:
and user sessions don't start.
At first I thought that this surely is a problem on AppArmor's side, but reading
linux/security/selinux/{hooks,avc}.cgives me a feeling that selinux would return EACCES, too. Unfortunately I don't know enought about selinux to verify that myself.