‘guix shell -C’ doesn’t work on Ubuntu 24.04

  • Open
  • quality assurance status badge
Details
5 participants
  • W. J. van der Laan
  • Ludovic Courtès
  • Ludovic Courtès
  • Marek Felšöci
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
important
L
L
Ludovic Courtès wrote on 27 May 2024 16:55
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . bug-guix@gnu.org)
87wmnfxq2c.fsf@inria.fr
On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

Toggle snippet (37 lines)
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15) = 0
294642 getuid() = 1000
294642 getgid() = 1000
294653 close(16) = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15, <unfinished ...>
294642 <... openat resumed>) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "deny", 4) = 4
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 write(16, "ready", 5) = 5
294653 <... read resumed>"r", 1) = 1
294642 write(16, "\n", 1) = 1
294653 read(15, "e", 1) = 1
294642 read(16, <unfinished ...>
294653 read(15, "a", 1) = 1
294653 read(15, "d", 1) = 1
294653 read(15, "y", 1) = 1
294653 read(15, "\n", 1) = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1) = 1
294642 <... read resumed>"(", 1) = 1
294653 write(15, "system-error", 12 <unfinished ...>

(It used to work on Ubuntu 22.)

Ludo’.
W
R
R
Ricardo Wurmus wrote on 4 Jul 2024 15:05
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . 71226@debbugs.gnu.org)(address . ludo@gnu.org)
87plrttiia.fsf@elephly.net
On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

Toggle snippet (76 lines)
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>

capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces

# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,

pivot_root,

/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,

# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,

allow userns,

}

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

--
Ricardo
L
L
Ludovic Courtès wrote on 15 Oct 2024 14:03
control message for bug #71226
(address . control@debbugs.gnu.org)
87wmi9zi81.fsf@gnu.org
severity 71226 important
quit
L
L
Ludovic Courtès wrote on 15 Oct 2024 14:07
Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 71226@debbugs.gnu.org)
87sesxzi09.fsf@gnu.org
Hi Ricardo and all,

Ricardo Wurmus <rekado@elephly.net> skribis:

Toggle quote (3 lines)
> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

Toggle quote (4 lines)
> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
‘etc/guix-install.sh’ to perform the above setup step on Apparmor
distros, similar to how SELinux is handled.

That’d be a much appreciated contribution!

Thanks,
Ludo’.
M
M
Marek Felšöci wrote on 19 Dec 2024 17:26
Re: bug#71226: ‘guix shell -C’ doesn ’t work on Ubuntu 24.04
(address . 71226@debbugs.gnu.org)
0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@lip6.fr
Hello to all,

I confirm the issue on my Ubuntu 24.04 installation with Guix coming from apt
repositories.

I followed the steps from the Ricardo's reply, but the problem persists with the
same error:

```
guix shell: chyba: mount: mount "none" on "/tmp/guix-directory.DFemEr": Prístup
odmietnutý
```

Note that in the above message 'Prístup odmietnutý' means 'Access denied'.

Have there been any new developments regarding this issue?

PS: My current Guix generation is based on the commit c3290ce of the official
Guix channel.

Thank you very much!

Best regards,
Marek
L
L
Ludovic Courtès wrote on 9 Jan 15:12 +0100
Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
(name . Marek Felšöci)(address . marek.felsoci@lip6.fr)
87h668oz3j.fsf@gnu.org
Hi Marek!

Marek Felšöci <marek.felsoci@lip6.fr> skribis:

Toggle quote (15 lines)
> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
> from apt repositories.
>
> I followed the steps from the Ricardo's reply, but the problem
> persists with the same error:
>
> ```
> guix shell: chyba: mount: mount "none" on
> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
> ```
>
> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>
> Have there been any new developments regarding this issue?

No! I guess Ricardo was on the right track but this probably needs more
testing and polishing.

Is there additional info you can get by running “dmesg” or something
like that?

Thanks,
Ludo’.
M
M
Marek Felšöci wrote on 9 Jan 23:08 +0100
Re: bug#71226: ‘guix shell -C’ doesn ’t work on Ubuntu 24.04
(name . Ludovic Courtès)(address . ludovic.courtes@inria.fr)
f604780d-bdcf-509c-9f3b-687f8ba0c655@lip6.fr
Hi Ludovic!

I ran the following Guix command

```
guix shell -C bash -- bash
```
and got these two entries in `dmesg` log.

```
[46999.292835] audit: type=1400 audit(1736460233.024:325): apparmor="AUDIT"
operation="userns_create" class="namespace" info="Userns create - transitioning
profile" profile="unconfined" pid=190176 comm="guix" requested="userns_create"
target="unprivileged_userns"
[46999.297993] audit: type=1400 audit(1736460233.029:326): apparmor="DENIED"
operation="mount" class="mount" info="failed mntpnt match" error=-13
profile="unprivileged_userns" name="/tmp/guix-directory.BpSImx/" pid=190193
comm="guix" fstype="tmpfs" srcname="none"
```
Is it of any help? Is there something else I should have a look at?

Thanks,
Marek.

Ludovic Courtès napísal(a) d?a 9. 1. 2025 o 15:12:
Toggle quote (26 lines)
> Hi Marek!
>
> Marek Felšöci <marek.felsoci@lip6.fr> skribis:
>
>> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
>> from apt repositories.
>>
>> I followed the steps from the Ricardo's reply, but the problem
>> persists with the same error:
>>
>> ```
>> guix shell: chyba: mount: mount "none" on
>> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
>> ```
>>
>> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>>
>> Have there been any new developments regarding this issue?
> No! I guess Ricardo was on the right track but this probably needs more
> testing and polishing.
>
> Is there additional info you can get by running “dmesg” or something
> like that?
>
> Thanks,
> Ludo’.
L
L
Ludovic Courtès wrote on 10 Jan 17:37 +0100
Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
(name . Marek Felšöci)(address . marek.felsoci@lip6.fr)
87ed1amxpy.fsf@gnu.org
Hello!

I believe the attached AppArmor profile should work. You need to:

1. Drop it in /etc/apparmor.d/guix (it’s actually not specific to
‘guix shell -C’ since it matches any ‘guix’ command!).

2. Run “apparmor_parser -rv /etc/apparmor.d/guix”.

And then you can check “guix build whatever” and “guix shell -C hello”.

Note that AppArmor is stateful: it memorizes previous rules (“profiles”)
and it’s not entirely clear how to remove them, especially when there’s
no profile name.

So perhaps you’ll want to reboot if in doubt.

Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
well.

If you can confirm, we can add it to the repo and have ‘guix-install.sh’
install it.

Ludo’.
abi <abi/3.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>

capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces

# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,

pivot_root,

# 'guix substitute' is responsible for deduplicating files that it downloads
# so it needs to be able to create links in /gnu/store/.links.
link /gnu/store/.links/** -> /gnu/store/**,

# Note: This also needs to provide permissions for 'guix substitute',
# which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.

/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,

# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,

allow userns,

}
M
M
Marek Felšöci wrote 4 days ago
Re: bug#71226: ‘guix shell -C’ doesn ’t work on Ubuntu 24.04
(name . Ludovic Courtès)(address . ludo@gnu.org)
674a32a4-5ba2-5832-1dca-437f53acc969@lip6.fr
Hello!

Thank you for taking time with this issue.

After loading the AppArmor profile from your message, I am able to execute “guix
shell -C hello”.

However, when trying to combine the "shell" command with the "time-machine"
command, like so:

"guix time-machine --channels=.guix/channels.scm -- shell -C hello"

I get an access denied error on the ".guix/channels.scm" file which I own and
have access to.

I tried to play around with the AppArmor profile, but with no success. Are we
still missing something?

Best,
Marek

Ludovic Courtès napísal(a) d?a 10. 1. 2025 o 17:37:
Toggle quote (109 lines)
> Hello!
>
> I believe the attached AppArmor profile should work. You need to:
>
> 1. Drop it in /etc/apparmor.d/guix (it’s actually not specific to
> ‘guix shell -C’ since it matches any ‘guix’ command!).
>
> 2. Run “apparmor_parser -rv /etc/apparmor.d/guix”.
>
> And then you can check “guix build whatever” and “guix shell -C hello”.
>
> Note that AppArmor is stateful: it memorizes previous rules (“profiles”)
> and it’s not entirely clear how to remove them, especially when there’s
> no profile name.
>
> So perhaps you’ll want to reboot if in doubt.
>
> Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
> well.
>
> If you can confirm, we can add it to the repo and have ‘guix-install.sh’
> install it.
>
> Ludo’.
>
>
> guix.apparmor
>
> abi <abi/3.0>,
>
> include <tunables/global>
>
> profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
> include <abstractions/base>
> include <abstractions/consoles>
> include <abstractions/nameservice>
>
> capability net_admin, # for "guix shell -CN"
> capability sys_admin, # for clone
> capability sys_ptrace, # for user namespaces
>
> # Allow preparing file systems inside the container root
> mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
> mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
> mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
> mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
> mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
> mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
> mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
> mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
> mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
> mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
> mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
> mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
> umount /real-root/,
>
> pivot_root,
>
> # 'guix substitute' is responsible for deduplicating files that it downloads
> # so it needs to be able to create links in /gnu/store/.links.
> link /gnu/store/.links/** -> /gnu/store/**,
>
> # Note: This also needs to provide permissions for 'guix substitute',
> # which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.
>
> /etc/nsswitch.conf r,
> /etc/passwd r,
> /gnu/store/** r,
> /gnu/store/**/** r,
> /gnu/store/*-guix-*/etc/ld.so.cache r,
> /gnu/store/*-guix-*/libexec/guix/guile ix,
> /gnu/store/*/bin/* mrix,
> /gnu/store/*/lib/**.so** mr,
> /gnu/store/*/lib/lib*.so* mr,
> /gnu/store/*/libexec/** ix,
> /gnu/store/*/sbin/* mrix,
> /tmp/ rw,
> /tmp/guix-directory** rw,
> /var/guix/** r,
> /var/guix/daemon-socket/socket rw,
> @{PROC}/*/ns/net rw,
> @{PROC}/*/ns/user rw,
> @{PROC}/@{pid}/** rw,
> @{PROC}/self/ rw,
> @{PROC}/self/** rw,
> @{PROC}/sys/kernel/unprivileged_userns_clone rw,
>
> # These are permissions inside the container after pivot root
> owner / w,
> owner /bin/ w,
> owner /bin/sh w,
> owner /etc/ w,
> owner /etc/group w,
> owner /etc/group.* r,
> owner /etc/group.* w,
> owner /etc/hosts w,
> owner /etc/passwd rw,
> owner /etc/passwd.* r,
> owner /etc/passwd.* w,
>
> owner /home/*/* ra,
> owner /home/*/.cache/guix/profiles/ r,
> owner /home/*/.cache/guix/profiles/* w,
> owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
> owner /real-root/ w,
>
> allow userns,
>
> }
R
R
Ricardo Wurmus wrote 4 days ago
Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
(name . Marek Felšöci)(address . marek.felsoci@lip6.fr)
87ed15kag4.fsf@elephly.net
Marek Felšöci <marek.felsoci@lip6.fr> writes:

Toggle quote (6 lines)
> I get an access denied error on the ".guix/channels.scm" file which I
> own and have access to.
>
> I tried to play around with the AppArmor profile, but with no
> success. Are we still missing something?

Do you see any relevant information in the AppArmor logs?

I'm not familiar with AppArmor, but in SELinux there's the concept of
type transitions. "guix time-machine" builds a directory and then
executes "bin/guix" from that store location. In SELinux you would need
to explicitly allow for that transition, so that
$HOME/.config/current/bin/guix can preserve its type when executing the
independent /gnu/store/.../bin/guix.

(Looking at our SELinux policy it seems to me that we're missing a type
transition for this case, so I would assume that "guix time-machine"
also doesn't work on a system where SELinux is enforcing policies.)

--
Ricardo
L
L
Ludovic Courtès wrote 42 hours ago
(name . Ricardo Wurmus)(address . rekado@elephly.net)
87a5br6uhd.fsf@gnu.org
Ricardo Wurmus <rekado@elephly.net> skribis:

Toggle quote (10 lines)
> Marek Felšöci <marek.felsoci@lip6.fr> writes:
>
>> I get an access denied error on the ".guix/channels.scm" file which I
>> own and have access to.
>>
>> I tried to play around with the AppArmor profile, but with no
>> success. Are we still missing something?
>
> Do you see any relevant information in the AppArmor logs?

I actually have a similar error:

Toggle snippet (13 lines)
$ guix time-machine -- shell -C hello
guix time-machine: error: failed to load '/builds/.config/guix/channels.scm': Permission denied
$ sudo dmesg | tail -4
[489967.069070] audit: type=1400 audit(1737015245.640:166): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[489967.069236] audit: type=1400 audit(1737015245.640:167): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443246] audit: type=1400 audit(1737015290.015:168): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443371] audit: type=1400 audit(1737015290.015:169): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
$ ls -l /builds/.config/guix/channels.scm
-rw-rw-r-- 1 ci ci 147 Dec 27 11:28 /builds/.config/guix/channels.scm
$ id
uid=1000(ci) gid=1000(ci) groups=1000(ci)

I think the problem we have is that the AppArmor profile now applies to
all ‘guix’ invocations but it doesn’t specify that ‘guix’ can access
user-owned files. I guess I did something wrong because that means that
this profile is in fact more restrictive than the default one.

Is there a way to say we want to inherit the default profile and only
relax it?

Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 71226@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 71226
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch