all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
@ 2024-05-27 14:55 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
  0 siblings, 2 replies; 3+ messages in thread
From: Ludovic Courtès @ 2024-05-27 14:55 UTC (permalink / raw
  To: 71226

On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15)                        = 0
294642 getuid()                         = 1000
294642 getgid()                         = 1000
294653 close(16)                        = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15,  <unfinished ...>
294642 <... openat resumed>)            = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "deny", 4)              = 4
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 write(16, "ready", 5)            = 5
294653 <... read resumed>"r", 1)        = 1
294642 write(16, "\n", 1)               = 1
294653 read(15, "e", 1)                 = 1
294642 read(16,  <unfinished ...>
294653 read(15, "a", 1)                 = 1
294653 read(15, "d", 1)                 = 1
294653 read(15, "y", 1)                 = 1
294653 read(15, "\n", 1)                = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1)                = 1
294642 <... read resumed>"(", 1)        = 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---

(It used to work on Ubuntu 22.)

Ludo’.




^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#71226: Upstream ubuntu issue
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
@ 2024-05-30 13:55 ` W. J. van der Laan
  2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus
  1 sibling, 0 replies; 3+ messages in thread
From: W. J. van der Laan @ 2024-05-30 13:55 UTC (permalink / raw
  To: 71226@debbugs.gnu.org

Upstream ubuntu issue (includes possible workaround): https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115




^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
  2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
  2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
@ 2024-07-04 13:05 ` Ricardo Wurmus
  1 sibling, 0 replies; 3+ messages in thread
From: Ricardo Wurmus @ 2024-07-04 13:05 UTC (permalink / raw
  To: 71226; +Cc: ludo

On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}
--8<---------------cut here---------------end--------------->8---

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

-- 
Ricardo




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-07-04 13:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-27 14:55 bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ludovic Courtès
2024-05-30 13:55 ` bug#71226: Upstream ubuntu issue W. J. van der Laan
2024-07-04 13:05 ` bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04 Ricardo Wurmus

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.