This is essentially the same issue as the proc one but with sysfs
instead. I apologize for not testing this sooner:
root@new-lxd:~# mount -tsysfs sysfs ~/sysfs
mount: /root/sysfs: cannot mount sysfs read-only.
dmesg:
[106935.993143] audit: type=1400 audit(1724863999.970:1277): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxd-new-lxd_</var/snap/lxd/common/lxd>" name="/root/sysfs/" pid=151081 comm="mount" fstype="sysfs" srcname="sysfs"
[106935.993160] audit: type=1400 audit(1724863999.970:1278): apparmor="DENIED" operation="mount" class="mount" info="failed perms check" error=-13 profile="lxd-new-lxd_</var/snap/lxd/common/lxd>" name="/root/sysfs/" pid=151081 comm="mount" fstype="sysfs" srcname="sysfs" flags="ro"
… the context here for these issues is that we mount those filesystems for the overlays feature in Rockcraft; I can confirm that the other necessary mounts are still working.
1 Like
tomp
August 29, 2024, 7:48am
2
I’ve asked @amikhalitsyn to look at this too. Thanks
1 Like
Hey @tigarmo
do you need overlayfs too?
As a temporary workaround you can do lxc config set myct security.nesting=true
.
1 Like
do you need overlayfs too?
No, we use fuse-overlayfs
and that mount is still working. Thanks for the workaround!
tomp
August 30, 2024, 8:07am
5
the fix for this is in latest/edge now and we will backport to 5.21/stable and latest/stable
canonical:main
← mihalicyn:apparmor_unpriv_allow_more_fs
opened 12:42PM - 29 Aug 24 UTC
A new AppArmor includes security fixes and our ruleset become stricter, while th… e source code remains unchanged.
sysfs was always available for unprivileged containers because of AppArmor bugs like [1]. Let's now allow it back by explicit rule.
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
Fixes:
https://discourse.ubuntu.com/t/mount-root-sysfs-cannot-mount-sysfs-read-only-with-lxd-5-21-2-22f93f4-from-snap/47563
1 Like
Thanks! I can confirm that with latest/edge
my mounting issues are gone.
1 Like
tomp
September 2, 2024, 3:12pm
7
Fix for this is now in 5.21/candidate and latest/candidate.
1 Like
tomp
September 3, 2024, 7:45am
8
This is now progressively rolling out to latest/stable and 5.21/stable see
Due to changes in the default behaviour of the updated vendored apparmor parser we have released an additional interim release (5.21.2-2f4ba6b) to address 2 regressions.