From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id OLk3E1GehmZ3JgEA62LTzQ:P1 (envelope-from ) for ; Thu, 04 Jul 2024 13:06:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id OLk3E1GehmZ3JgEA62LTzQ (envelope-from ) for ; Thu, 04 Jul 2024 15:06:25 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=elephly.net header.s=zoho header.b=T0GkCRv8; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.com:reject}") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1720098385; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=; b=O005QenGHTukLo/oX4UbrgnHyd+6GbYJEAtVtRzIcLiEKl/+TLMkFwTsFouBUO5sz2/Lln DLrk9PvCka7Sz/YgQFEhaiN6Q2tfWeLIGdEm5yJbQEZsuDFYwcu9Fep1yVJQSsLDBsQGg4 fV9Lo1YmlFrzbVZj0OhQx0X8nlXAYiWVd+Bec5kWulzDB+no6t9NAzB6Fx5G0YBmRiP71t 7bIXwqDE0nZc/Rj8z13LbugvxIEPAPcPfIXzrbkfKSMqCDCzFXDKPZ3cH3t86Cn8F3fOSM 4JB8jvWybrC11FoASCTeTq65/GHyUFzi/a10KHK46mbD2k1/2KeMs+LH9j71UA== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=elephly.net header.s=zoho header.b=T0GkCRv8; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.com:reject}") ARC-Seal: i=2; s=key1; d=yhetil.org; t=1720098385; a=rsa-sha256; cv=fail; b=TVrcKf4Zdkcjkk+49buHus9yGnxSbl6OqY6H56sgvStW33aDfmCv/c6+W2GvBQw7sIJFZR 5Ag3zC7bLHwNYx76aiY8ox4GELPpSOhEbh/pqsJ1TzTm8YgqEkYvzuyjb+OnHkfY4B4cPp warOsvOhhk79wRSLbSQRbMvqGkLEzNFsg469BA+LXaPT2BmWIcJxXKPn/JRhlPKXZy2RJn sfOtdUn2zIMVf3W3YZQieFX/IMhvZljU17y0wLQmRjNCu6BrjgoLleWdaNFzwdmcQpzJOv OQGMNbaJhwwf8a93ujxAL0SGjiQTwtrqLKPz0RyABnKGVZR/EqOzRbUF5EgNTA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6949773439 for ; Thu, 4 Jul 2024 15:06:24 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sPM9y-0001u6-AN; Thu, 04 Jul 2024 09:06:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sPM9v-0001th-Vt for bug-guix@gnu.org; Thu, 04 Jul 2024 09:06:00 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sPM9v-0000Dz-KN for bug-guix@gnu.org; Thu, 04 Jul 2024 09:05:59 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sPM9x-0000Tq-Ok for bug-guix@gnu.org; Thu, 04 Jul 2024 09:06:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04 References: <87wmnfxq2c.fsf@inria.fr> In-Reply-To: <87wmnfxq2c.fsf@inria.fr> Resent-From: Ricardo Wurmus Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 04 Jul 2024 13:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71226 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 71226@debbugs.gnu.org Cc: ludo@gnu.org Received: via spool by 71226-submit@debbugs.gnu.org id=B71226.17200983401817 (code B ref 71226); Thu, 04 Jul 2024 13:06:01 +0000 Received: (at 71226) by debbugs.gnu.org; 4 Jul 2024 13:05:40 +0000 Received: from localhost ([127.0.0.1]:41775 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sPM9c-0000TF-2f for submit@debbugs.gnu.org; Thu, 04 Jul 2024 09:05:40 -0400 Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sPM9Z-0000T5-VP for 71226@debbugs.gnu.org; Thu, 04 Jul 2024 09:05:38 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1720098323; cv=none; d=zohomail.com; s=zohoarc; b=fmHsHsLmM5U12hb7CFfTehhGXzbWwNBFDUGcTqXU9TF/AvHWEwe7TEiA5TsqKoOhJuSgb5j22Jslgx2ZHwp5BuEowxe/50gYSQcoXzfTtw5x/Tb48bh9FJJT5nux9QyPJMxcBprDM5jSMXN5VwMO/m7FT4FrnMJdUh+ucvRV24w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1720098323; h=Content-Type:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=; b=Hqqg2Ks9SXgOnSrmhM5D6AEGwM/I/mFSpLFiGJJCypNVONHAyl9O624rPRBm7gNHMOjz8f2GqVCk1zlghDmmpIvk/YGNPWILPhY/DIAMhC0cWpSgu8/rxgQ+kawt15dRTLnnLPwuX2Pujo89Lh/VGybW5+jw/TQFEWno4MTHFmk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1720098323; s=zoho; d=elephly.net; i=rekado@elephly.net; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To; bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=; b=T0GkCRv88Rz5rbMmqM2Ugewzi3Ksr9HRMk9GuCx8Wr0kFJCApJoc9YIcD2BiElSJ 8Q2FcuNkIXfB/jxZvVz7LA9Df0Ak9QtFOEI9nrhsAZx901m6tFt4CoLOTSdm4UzIbL3 9Lj4x9kLuBWBL3uCnJWroqcibVy54+qOdlqV1LxM= Received: by mx.zohomail.com with SMTPS id 1720098321702143.2912667156312; Thu, 4 Jul 2024 06:05:21 -0700 (PDT) From: Ricardo Wurmus Date: Thu, 04 Jul 2024 15:05:17 +0200 Message-ID: <87plrttiia.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -1.39 X-Migadu-Queue-Id: 6949773439 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -1.39 X-TUID: G9hTpfavFEYD On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the following contents: --8<---------------cut here---------------start------------->8--- abi , include /gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) { include include include capability net_admin, # for "guix shell -CN" capability sys_admin, # for clone capability sys_ptrace, # for user namespaces # Allow preparing file systems inside the container root mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/, mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/, mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/, mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/, mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**, mount fstype=(tmpfs) none -> /tmp/guix-directory.*/, mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/, mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/, mount options=(bind, rw) /** -> /tmp/guix-directory.*/**, mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/, mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**, mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**, umount /real-root/, pivot_root, /etc/nsswitch.conf r, /etc/passwd r, /gnu/store/** r, /gnu/store/**/** r, /gnu/store/*-guix-*/etc/ld.so.cache r, /gnu/store/*-guix-*/libexec/guix/guile ix, /gnu/store/*/bin/* mrix, /gnu/store/*/lib/**.so** mr, /gnu/store/*/lib/lib*.so* mr, /gnu/store/*/libexec/** ix, /gnu/store/*/sbin/* mrix, /tmp/ rw, /tmp/guix-directory** rw, /var/guix/** r, /var/guix/daemon-socket/socket rw, @{PROC}/*/ns/net rw, @{PROC}/*/ns/user rw, @{PROC}/@{pid}/** rw, @{PROC}/self/ rw, @{PROC}/self/** rw, @{PROC}/sys/kernel/unprivileged_userns_clone rw, # These are permissions inside the container after pivot root owner / w, owner /bin/ w, owner /bin/sh w, owner /etc/ w, owner /etc/group w, owner /etc/group.* r, owner /etc/group.* w, owner /etc/hosts w, owner /etc/passwd rw, owner /etc/passwd.* r, owner /etc/passwd.* w, owner /home/*/* ra, owner /home/*/.cache/guix/profiles/ r, owner /home/*/.cache/guix/profiles/* w, owner /home/*/.cache/guix/profiles/last-expiry-cleanup r, owner /real-root/ w, allow userns, } --8<---------------cut here---------------end--------------->8--- I then loaded the profile with "sudo apparmor_parser -qr /etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix shell -CN hello" worked fine. To refine this policy I used the following process: 1. run "sudo aa-genprof guix" in one terminal 2. run "guix shell -CN hello" in another 3. update /etc/apparmor.d/guix-shell-container as needed (often replacing temporary directory names with glob patterns) 4. repeat We may want to create a template file in which we replace all instances of /gnu/store and /var/guix with their respective configured values and install the file in the same manner as we do etc/guix-daemon.cil. I wonder if we need to provide something similar for SELinux where we only have the guix-daemon policy. -- Ricardo