‘guix shell -C’ doesn’t work on Ubuntu 24.04

  • Open
  • quality assurance status badge
Details
4 participants
  • W. J. van der Laan
  • Ludovic Courtès
  • Ludovic Courtès
  • Ricardo Wurmus
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
important
L
L
Ludovic Courtès wrote on 27 May 16:55 +0200
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . bug-guix@gnu.org)
87wmnfxq2c.fsf@inria.fr
On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

Toggle snippet (37 lines)
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15) = 0
294642 getuid() = 1000
294642 getgid() = 1000
294653 close(16) = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15, <unfinished ...>
294642 <... openat resumed>) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "deny", 4) = 4
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR) = 0
294642 write(6, "1000 1000 1", 11) = 11
294642 close(6) = 0
294642 write(16, "ready", 5) = 5
294653 <... read resumed>"r", 1) = 1
294642 write(16, "\n", 1) = 1
294653 read(15, "e", 1) = 1
294642 read(16, <unfinished ...>
294653 read(15, "a", 1) = 1
294653 read(15, "d", 1) = 1
294653 read(15, "y", 1) = 1
294653 read(15, "\n", 1) = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1) = 1
294642 <... read resumed>"(", 1) = 1
294653 write(15, "system-error", 12 <unfinished ...>

(It used to work on Ubuntu 22.)

Ludo’.
W
R
R
Ricardo Wurmus wrote on 4 Jul 15:05 +0200
‘guix shell -C’ doesn’t work on Ubuntu 24.04
(address . 71226@debbugs.gnu.org)(address . ludo@gnu.org)
87plrttiia.fsf@elephly.net
On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

Toggle snippet (76 lines)
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>

capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces

# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,

pivot_root,

/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,

# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,

allow userns,

}

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

--
Ricardo
L
L
Ludovic Courtès wrote on 15 Oct 14:03 +0200
control message for bug #71226
(address . control@debbugs.gnu.org)
87wmi9zi81.fsf@gnu.org
severity 71226 important
quit
L
L
Ludovic Courtès wrote on 15 Oct 14:07 +0200
Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
(name . Ricardo Wurmus)(address . rekado@elephly.net)(address . 71226@debbugs.gnu.org)
87sesxzi09.fsf@gnu.org
Hi Ricardo and all,

Ricardo Wurmus <rekado@elephly.net> skribis:

Toggle quote (3 lines)
> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

Toggle quote (4 lines)
> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
‘etc/guix-install.sh’ to perform the above setup step on Apparmor
distros, similar to how SELinux is handled.

That’d be a much appreciated contribution!

Thanks,
Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 71226@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 71226
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch