#71226 ‘guix shell -C’ doesn’t work on Ubuntu 24.04

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludovic.courtes@inria.fr>

To: bug-guix@gnu.org

Subject: ‘guix shell -C’ doesn’t work on Ubuntu 24.04

Date: Mon, 27 May 2024 16:55:07 +0200

On Ubuntu 24.04, ‘guix shell -C’ has its child process (in a separate
mount namespace) fail to mount a tmpfs:

--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=NULL, flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) = 294653
294642 close(15)                        = 0
294642 getuid()                         = 1000
294642 getgid()                         = 1000
294653 close(16)                        = 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC, 0666 <unfinished ...>
294653 read(15,  <unfinished ...>
294642 <... openat resumed>)            = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "deny", 4)              = 4
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
294642 newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=0, ...}, AT_EMPTY_PATH) = 0
294642 lseek(6, 0, SEEK_CUR)            = 0
294642 write(6, "1000 1000 1", 11)      = 11
294642 close(6)                         = 0
294642 write(16, "ready", 5)            = 5
294653 <... read resumed>"r", 1)        = 1
294642 write(16, "\n", 1)               = 1
294653 read(15, "e", 1)                 = 1
294642 read(16,  <unfinished ...>
294653 read(15, "a", 1)                 = 1
294653 read(15, "d", 1)                 = 1
294653 read(15, "y", 1)                 = 1
294653 read(15, "\n", 1)                = 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) = -1 EACCES (Permission denied)
294653 write(15, "(", 1)                = 1
294642 <... read resumed>"(", 1)        = 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---

(It used to work on Ubuntu 22.)

Ludo’.

Message #8 received at 71226@debbugs.gnu.org (full text, mbox, reply):

From: "W. J. van der Laan" <laanwj@protonmail.com>

To: "71226@debbugs.gnu.org" <71226@debbugs.gnu.org>

Subject: Upstream ubuntu issue

Date: Thu, 30 May 2024 13:55:00 +0000

Upstream ubuntu issue (includes possible workaround): https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115

Message #11 received at 71226@debbugs.gnu.org (full text, mbox, reply):

From: Ricardo Wurmus <rekado@elephly.net>

To: 71226@debbugs.gnu.org

Cc: ludo@gnu.org

Subject: ‘guix shell -C’ doesn’t work on Ubuntu 24.04

Date: Thu, 04 Jul 2024 15:05:17 +0200

On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}
--8<---------------cut here---------------end--------------->8---

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

-- 
Ricardo

Message #16 received at 71226@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludovic.courtes@inria.fr>

To: Ricardo Wurmus <rekado@elephly.net>

Cc: 71226@debbugs.gnu.org

Subject: Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04

Date: Tue, 15 Oct 2024 14:07:50 +0200

Hi Ricardo and all,

Ricardo Wurmus <rekado@elephly.net> skribis:

> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
‘etc/guix-install.sh’ to perform the above setup step on Apparmor
distros, similar to how SELinux is handled.

That’d be a much appreciated contribution!

Thanks,
Ludo’.

Send a report that this bug log contains spam.