From: Ricardo Wurmus <rekado@elephly.net>
To: 71226@debbugs.gnu.org
Cc: ludo@gnu.org
Subject: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
Date: Thu, 04 Jul 2024 15:05:17 +0200 [thread overview]
Message-ID: <87plrttiia.fsf@elephly.net> (raw)
In-Reply-To: <87wmnfxq2c.fsf@inria.fr>
On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:
--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,
include <tunables/global>
/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces
# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,
pivot_root,
/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,
# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,
allow userns,
}
--8<---------------cut here---------------end--------------->8---
I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
shell -CN hello" worked fine.
To refine this policy I used the following process:
1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat
We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.
I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.
--
Ricardo
next prev parent reply other threads:[~2024-07-04 13:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
2024-07-04 13:05 ` Ricardo Wurmus [this message]
2024-10-15 12:07 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87plrttiia.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=71226@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.