unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
@ 2024-05-27 14:55 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
                   ` (3 more replies)
  0 siblings, 4 replies; 12+ messages in thread
From: Ludovic Courtès @ 2024-05-27 14:55 UTC (permalink / raw)
  To: 71226

On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15)                        = 0
294642 getuid()                         = 1000
294642 getgid()                         = 1000
294653 close(16)                        = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15,  <unfinished ...>
294642 <... openat resumed>)            = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "deny", 4)              = 4
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 write(16, "ready", 5)            = 5
294653 <... read resumed>"r", 1)        = 1
294642 write(16, "\n", 1)               = 1
294653 read(15, "e", 1)                 = 1
294642 read(16,  <unfinished ...>
294653 read(15, "a", 1)                 = 1
294653 read(15, "d", 1)                 = 1
294653 read(15, "y", 1)                 = 1
294653 read(15, "\n", 1)                = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1)                = 1
294642 <... read resumed>"(", 1)        = 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---

(It used to work on Ubuntu 22.)

Ludo’.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: Upstream ubuntu issue
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
@ 2024-05-30 13:55 ` W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 12+ messages in thread
From: W. J. van der Laan @ 2024-05-30 13:55 UTC (permalink / raw)
  To: 71226@debbugs.gnu.org

Upstream ubuntu issue (includes possible workaround): https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
@ 2024-07-04 13:05 ` Ricardo Wurmus
  2024-10-15 12:07   ` Ludovic Courtès
  2024-12-19 16:26 ` Marek Felšöci
  2025-01-18 12:32 ` bug#71226: Link launchpad issue rdes via Bug reports for GNU Guix
  3 siblings, 1 reply; 12+ messages in thread
From: Ricardo Wurmus @ 2024-07-04 13:05 UTC (permalink / raw)
  To: 71226; +Cc: ludo

On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}
--8<---------------cut here---------------end--------------->8---

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

-- 
Ricardo




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
@ 2024-10-15 12:07   ` Ludovic Courtès
  0 siblings, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2024-10-15 12:07 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 71226

Hi Ricardo and all,

Ricardo Wurmus <rekado@elephly.net> skribis:

> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
‘etc/guix-install.sh’ to perform the above setup step on Apparmor
distros, similar to how SELinux is handled.

That’d be a much appreciated contribution!

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
@ 2024-12-19 16:26 ` Marek Felšöci
  2025-01-09 14:12   ` Ludovic Courtès
  2025-01-18 12:32 ` bug#71226: Link launchpad issue rdes via Bug reports for GNU Guix
  3 siblings, 1 reply; 12+ messages in thread
From: Marek Felšöci @ 2024-12-19 16:26 UTC (permalink / raw)
  To: 71226

Hello to all,

I confirm the issue on my Ubuntu 24.04 installation with Guix coming from apt 
repositories.

I followed the steps from the Ricardo's reply, but the problem persists with the 
same error:

```
guix shell: chyba: mount: mount "none" on "/tmp/guix-directory.DFemEr": Prístup 
odmietnutý
```

Note that in the above message 'Prístup odmietnutý' means 'Access denied'.

Have there been any new developments regarding this issue?

PS: My current Guix generation is based on the commit c3290ce of the official 
Guix channel.

Thank you very much!

Best regards,
Marek





^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-12-19 16:26 ` Marek Felšöci
@ 2025-01-09 14:12   ` Ludovic Courtès
  2025-01-09 22:08     ` Marek Felšöci
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2025-01-09 14:12 UTC (permalink / raw)
  To: Marek Felšöci; +Cc: Ricardo Wurmus, 71226

Hi Marek!

Marek Felšöci <marek.felsoci@lip6.fr> skribis:

> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
> from apt repositories.
>
> I followed the steps from the Ricardo's reply, but the problem
> persists with the same error:
>
> ```
> guix shell: chyba: mount: mount "none" on
> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
> ```
>
> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>
> Have there been any new developments regarding this issue?

No!  I guess Ricardo was on the right track but this probably needs more
testing and polishing.

Is there additional info you can get by running “dmesg” or something
like that?

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2025-01-09 14:12   ` Ludovic Courtès
@ 2025-01-09 22:08     ` Marek Felšöci
  2025-01-10 16:37       ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Marek Felšöci @ 2025-01-09 22:08 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Ricardo Wurmus, 71226

Hi Ludovic!

I ran the following Guix command

```
guix shell -C bash -- bash
```
and got these two entries in `dmesg` log.

```
[46999.292835] audit: type=1400 audit(1736460233.024:325): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=190176 comm="guix" requested="userns_create" 
target="unprivileged_userns"
[46999.297993] audit: type=1400 audit(1736460233.029:326): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/tmp/guix-directory.BpSImx/" pid=190193 
comm="guix" fstype="tmpfs" srcname="none"
```
Is it of any help? Is there something else I should have a look at?

Thanks,
Marek.

Ludovic Courtès napísal(a) dňa 9. 1. 2025 o 15:12:
> Hi Marek!
>
> Marek Felšöci <marek.felsoci@lip6.fr> skribis:
>
>> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
>> from apt repositories.
>>
>> I followed the steps from the Ricardo's reply, but the problem
>> persists with the same error:
>>
>> ```
>> guix shell: chyba: mount: mount "none" on
>> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
>> ```
>>
>> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>>
>> Have there been any new developments regarding this issue?
> No!  I guess Ricardo was on the right track but this probably needs more
> testing and polishing.
>
> Is there additional info you can get by running “dmesg” or something
> like that?
>
> Thanks,
> Ludo’.






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2025-01-09 22:08     ` Marek Felšöci
@ 2025-01-10 16:37       ` Ludovic Courtès
  2025-01-13 16:12         ` Marek Felšöci
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2025-01-10 16:37 UTC (permalink / raw)
  To: Marek Felšöci; +Cc: Ricardo Wurmus, 71226

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

Hello!

I believe the attached AppArmor profile should work.  You need to:

  1. Drop it in /etc/apparmor.d/guix (it’s actually not specific to
     ‘guix shell -C’ since it matches any ‘guix’ command!).

  2. Run “apparmor_parser -rv /etc/apparmor.d/guix”.

And then you can check “guix build whatever” and “guix shell -C hello”.

Note that AppArmor is stateful: it memorizes previous rules (“profiles”)
and it’s not entirely clear how to remove them, especially when there’s
no profile name.

So perhaps you’ll want to reboot if in doubt.

Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
well.

If you can confirm, we can add it to the repo and have ‘guix-install.sh’
install it.

Ludo’.


[-- Attachment #2: guix.apparmor --]
[-- Type: text/plain, Size: 2809 bytes --]

abi <abi/3.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  # 'guix substitute' is responsible for deduplicating files that it downloads
  # so it needs to be able to create links in /gnu/store/.links.
  link /gnu/store/.links/** -> /gnu/store/**,

  # Note: This also needs to provide permissions for 'guix substitute',
  # which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}

^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2025-01-10 16:37       ` Ludovic Courtès
@ 2025-01-13 16:12         ` Marek Felšöci
  2025-01-14  9:32           ` Ricardo Wurmus
  0 siblings, 1 reply; 12+ messages in thread
From: Marek Felšöci @ 2025-01-13 16:12 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Ricardo Wurmus, 71226

Hello!

Thank you for taking time with this issue.

After loading the AppArmor profile from your message, I am able to execute “guix 
shell -C hello”.

However, when trying to combine the "shell" command with the "time-machine" 
command, like so:

"guix time-machine --channels=.guix/channels.scm -- shell -C hello"

I get an access denied error on the ".guix/channels.scm" file which I own and 
have access to.

I tried to play around with the AppArmor profile, but with no success. Are we 
still missing something?

Best,
Marek

Ludovic Courtès napísal(a) dňa 10. 1. 2025 o 17:37:
> Hello!
>
> I believe the attached AppArmor profile should work.  You need to:
>
>    1. Drop it in /etc/apparmor.d/guix (it’s actually not specific to
>       ‘guix shell -C’ since it matches any ‘guix’ command!).
>
>    2. Run “apparmor_parser -rv /etc/apparmor.d/guix”.
>
> And then you can check “guix build whatever” and “guix shell -C hello”.
>
> Note that AppArmor is stateful: it memorizes previous rules (“profiles”)
> and it’s not entirely clear how to remove them, especially when there’s
> no profile name.
>
> So perhaps you’ll want to reboot if in doubt.
>
> Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
> well.
>
> If you can confirm, we can add it to the repo and have ‘guix-install.sh’
> install it.
>
> Ludo’.
>
>
> guix.apparmor
>
> abi <abi/3.0>,
>
> include <tunables/global>
>
> profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
>    include <abstractions/base>
>    include <abstractions/consoles>
>    include <abstractions/nameservice>
>
>    capability net_admin, # for "guix shell -CN"
>    capability sys_admin, # for clone
>    capability sys_ptrace, # for user namespaces
>
>    # Allow preparing file systems inside the container root
>    mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
>    mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
>    mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
>    mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
>    mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
>    mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
>    mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
>    mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
>    mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
>    mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
>    mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
>    mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
>    umount /real-root/,
>
>    pivot_root,
>
>    # 'guix substitute' is responsible for deduplicating files that it downloads
>    # so it needs to be able to create links in /gnu/store/.links.
>    link /gnu/store/.links/** -> /gnu/store/**,
>
>    # Note: This also needs to provide permissions for 'guix substitute',
>    # which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.
>
>    /etc/nsswitch.conf r,
>    /etc/passwd r,
>    /gnu/store/** r,
>    /gnu/store/**/** r,
>    /gnu/store/*-guix-*/etc/ld.so.cache r,
>    /gnu/store/*-guix-*/libexec/guix/guile ix,
>    /gnu/store/*/bin/* mrix,
>    /gnu/store/*/lib/**.so** mr,
>    /gnu/store/*/lib/lib*.so* mr,
>    /gnu/store/*/libexec/** ix,
>    /gnu/store/*/sbin/* mrix,
>    /tmp/ rw,
>    /tmp/guix-directory** rw,
>    /var/guix/** r,
>    /var/guix/daemon-socket/socket rw,
>    @{PROC}/*/ns/net rw,
>    @{PROC}/*/ns/user rw,
>    @{PROC}/@{pid}/** rw,
>    @{PROC}/self/ rw,
>    @{PROC}/self/** rw,
>    @{PROC}/sys/kernel/unprivileged_userns_clone rw,
>
>    # These are permissions inside the container after pivot root
>    owner / w,
>    owner /bin/ w,
>    owner /bin/sh w,
>    owner /etc/ w,
>    owner /etc/group w,
>    owner /etc/group.* r,
>    owner /etc/group.* w,
>    owner /etc/hosts w,
>    owner /etc/passwd rw,
>    owner /etc/passwd.* r,
>    owner /etc/passwd.* w,
>    
>    owner /home/*/* ra,
>    owner /home/*/.cache/guix/profiles/ r,
>    owner /home/*/.cache/guix/profiles/* w,
>    owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
>    owner /real-root/ w,
>
>    allow userns,
>
> }






^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2025-01-13 16:12         ` Marek Felšöci
@ 2025-01-14  9:32           ` Ricardo Wurmus
  2025-01-16  8:19             ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Ricardo Wurmus @ 2025-01-14  9:32 UTC (permalink / raw)
  To: Marek Felšöci; +Cc: 71226, Ludovic Courtès

Marek Felšöci <marek.felsoci@lip6.fr> writes:

> I get an access denied error on the ".guix/channels.scm" file which I
> own and have access to.
>
> I tried to play around with the AppArmor profile, but with no
> success. Are we still missing something?

Do you see any relevant information in the AppArmor logs?

I'm not familiar with AppArmor, but in SELinux there's the concept of
type transitions.  "guix time-machine" builds a directory and then
executes "bin/guix" from that store location.  In SELinux you would need
to explicitly allow for that transition, so that
$HOME/.config/current/bin/guix can preserve its type when executing the
independent /gnu/store/.../bin/guix.

(Looking at our SELinux policy it seems to me that we're missing a type
transition for this case, so I would assume that "guix time-machine"
also doesn't work on a system where SELinux is enforcing policies.)

-- 
Ricardo




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2025-01-14  9:32           ` Ricardo Wurmus
@ 2025-01-16  8:19             ` Ludovic Courtès
  0 siblings, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2025-01-16  8:19 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: 71226, Marek Felšöci

Ricardo Wurmus <rekado@elephly.net> skribis:

> Marek Felšöci <marek.felsoci@lip6.fr> writes:
>
>> I get an access denied error on the ".guix/channels.scm" file which I
>> own and have access to.
>>
>> I tried to play around with the AppArmor profile, but with no
>> success. Are we still missing something?
>
> Do you see any relevant information in the AppArmor logs?

I actually have a similar error:

--8<---------------cut here---------------start------------->8---
$ guix time-machine -- shell -C hello
guix time-machine: error: failed to load '/builds/.config/guix/channels.scm': Permission denied
$ sudo dmesg | tail -4
[489967.069070] audit: type=1400 audit(1737015245.640:166): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[489967.069236] audit: type=1400 audit(1737015245.640:167): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443246] audit: type=1400 audit(1737015290.015:168): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443371] audit: type=1400 audit(1737015290.015:169): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
$ ls -l /builds/.config/guix/channels.scm
-rw-rw-r-- 1 ci ci 147 Dec 27 11:28 /builds/.config/guix/channels.scm
$ id
uid=1000(ci) gid=1000(ci) groups=1000(ci)
--8<---------------cut here---------------end--------------->8---

I think the problem we have is that the AppArmor profile now applies to
all ‘guix’ invocations but it doesn’t specify that ‘guix’ can access
user-owned files.  I guess I did something wrong because that means that
this profile is in fact more restrictive than the default one.

Is there a way to say we want to inherit the default profile and only
relax it?

Ludo’.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* bug#71226: Link launchpad issue
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
                   ` (2 preceding siblings ...)
  2024-12-19 16:26 ` Marek Felšöci
@ 2025-01-18 12:32 ` rdes via Bug reports for GNU Guix
  3 siblings, 0 replies; 12+ messages in thread
From: rdes via Bug reports for GNU Guix @ 2025-01-18 12:32 UTC (permalink / raw)
  To: 71226@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 149 bytes --]

Hello,

Just wanted to link this issue with what is being tracked on ubuntu's launchpad.

https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115

[-- Attachment #2: Type: text/html, Size: 972 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2025-01-18 17:04 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
2024-10-15 12:07   ` Ludovic Courtès
2024-12-19 16:26 ` Marek Felšöci
2025-01-09 14:12   ` Ludovic Courtès
2025-01-09 22:08     ` Marek Felšöci
2025-01-10 16:37       ` Ludovic Courtès
2025-01-13 16:12         ` Marek Felšöci
2025-01-14  9:32           ` Ricardo Wurmus
2025-01-16  8:19             ` Ludovic Courtès
2025-01-18 12:32 ` bug#71226: Link launchpad issue rdes via Bug reports for GNU Guix

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).