Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid mount rules according to the specification (no leading '/' with mountpoint) #886

Closed
jdstrand opened this issue May 22, 2024 · 1 comment · Fixed by canonical/lxd#13546
Assignees
Labels
Bug Confirmed to be a bug Easy Good for new contributors
Milestone

Comments

@jdstrand
Copy link

jdstrand commented May 22, 2024

Hi,

I came across https://bugs.launchpad.net/lxc/+bug/2064144 which states that rules like this:

mount options=(rw, make-slave) -> **,

are non-compliant with the apparmor specification due to the mountpoint not having a leading /: "man 5 apparmor.d ==> [mountpoint] must start with ’/’ (after variable expansion).".

While this is talking about logprof (which won't interact with incus rules since there are no rules on disk (though it does impact the LXC project)), the response in the bug says "this restriction is only enforced in AppArmor since version 4.0" (referring to the parser) so incus likely is affected when run on systems with AppArmor 4.0 (note, there are still open questions to John on what to do; I just wanted you to be aware of the discussion).

Example of location of problematic AppArmor rule in incus: https://github.com/lxc/incus/blob/main/internal/server/apparmor/instance_lxc.go#L512

@jdstrand jdstrand changed the title invalid mount rules according to the specification invalid mount rules according to the specification (no leading '/' with mountpoint) May 22, 2024
@stgraber stgraber added Bug Confirmed to be a bug Easy Good for new contributors labels May 22, 2024
@stgraber stgraber self-assigned this May 22, 2024
@stgraber stgraber added this to the incus-6.2 milestone May 22, 2024
stgraber added a commit to stgraber/incus that referenced this issue May 22, 2024
Closes lxc#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
@jdstrand
Copy link
Author

Fyi, John responded and said that the current syntax should continue to be supported: https://bugs.launchpad.net/lxc/+bug/2064144/comments/4.

@hallyn hallyn closed this as completed in d2c13e3 May 23, 2024
stgraber added a commit that referenced this issue May 27, 2024
Closes #886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
simondeziel pushed a commit to simondeziel/lxd that referenced this issue Jun 4, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
simondeziel pushed a commit to simondeziel/lxd that referenced this issue Jun 4, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
simondeziel pushed a commit to simondeziel/lxd that referenced this issue Jun 4, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
hamistao pushed a commit to hamistao/lxd that referenced this issue Jun 6, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
tomponline pushed a commit to tomponline/lxd that referenced this issue Jun 6, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
tomponline pushed a commit to tomponline/lxd that referenced this issue Jun 6, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
tomponline pushed a commit to tomponline/lxd that referenced this issue Sep 13, 2024
Closes lxc/incus#886

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
(cherry picked from commit d2c13e3f6312f08750981a80a510530e881c4ec7)
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
License: Apache-2.0
(cherry picked from commit e896a21)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Confirmed to be a bug Easy Good for new contributors
Development

Successfully merging a pull request may close this issue.

2 participants