‘guix shell -C’ doesn’t work on Ubuntu 24.04

  • Open
  • quality assurance status badge
Details
3 participants
  • W. J. van der Laan
  • Ludovic Courtès
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 27 May 16:55 +0200
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . bug-guix@gnu.org)
87wmnfxq2c.fsf@inria.fr
On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

Toggle snippet (37 lines)
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15) = 0
294642 getuid() = 1000
294642 getgid() = 1000
294653 close(16) = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15, <unfinished ...>
294642 <... openat resumed>) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "deny", 4) = 4
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 write(16, "ready", 5) = 5
294653 <... read resumed>"r", 1) = 1
294642 write(16, "\n", 1) = 1
294653 read(15, "e", 1) = 1
294642 read(16, <unfinished ...>
294653 read(15, "a", 1) = 1
294653 read(15, "d", 1) = 1
294653 read(15, "y", 1) = 1
294653 read(15, "\n", 1) = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1) = 1
294642 <... read resumed>"(", 1) = 1
294653 write(15, "system-error", 12 <unfinished ...>

(It used to work on Ubuntu 22.)

Ludo’.
W
R
R
Ricardo Wurmus wrote on 4 Jul 15:05 +0200
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . 71226@debbugs.gnu.org)(address . ludo@gnu.org)
87plrttiia.fsf@elephly.net
On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

Toggle snippet (76 lines)
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>

capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces

# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,

pivot_root,

/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,

# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,

allow userns,

}

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

--
Ricardo
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 71226@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 71226
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch