Ubuntu's default (since 23.10) AppArmor rules break some tests #545

Open
opened 2024-10-11 15:42:31 +00:00 by vigress8 · 0 comments
Member

Describe the bug

Ubuntu now restricts unprivileged user namespaces:
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Which breaks these tests:

 81/161 lix:installcheck / functional-build-remote-input-addressed            FAIL             0.28s   exit status 1
 93/161 lix:installcheck / functional-build-remote-content-addressed-fixed    FAIL             0.35s   exit status 1
 94/161 lix:installcheck / functional-build-remote-content-addressed-floating FAIL             0.38s   exit status 1
 95/161 lix:installcheck / functional-build-remote-trustless-should-pass-0    FAIL             0.35s   exit status 1
 96/161 lix:installcheck / functional-build-remote-trustless-should-pass-1    FAIL             0.36s   exit status 1
 97/161 lix:installcheck / functional-build-remote-trustless-should-pass-2    FAIL             0.38s   exit status 1
 98/161 lix:installcheck / functional-build-remote-trustless-should-pass-3    FAIL             0.38s   exit status 1
100/161 lix:installcheck / functional-build-remote-trustless-should-fail-0    FAIL             0.26s   exit status 100
114/161 lix:installcheck / functional-supplementary-groups                    FAIL             0.14s   exit status 1
115/161 lix:installcheck / functional-linux-sandbox                           FAIL             0.25s   exit status 100
119/161 lix:installcheck / functional-shell                                   FAIL             0.62s   exit status 1
152/161 lix:installcheck / functional-nested-sandboxing                       FAIL             0.28s   exit status 1

Steps To Reproduce

With AppArmor installed, set

sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1

And run the test suite. Observe that the above tests fail with confusing output like

error: executing '/nix/store/c2ph7pk42aa8fa1diy74pkdjyj8qrd1d-busybox': No such file or directory

Expected behavior

The tests should at least error out immediately when this incompatibility is noticed

## Describe the bug Ubuntu now restricts unprivileged user namespaces: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Which breaks these tests: ``` 81/161 lix:installcheck / functional-build-remote-input-addressed FAIL 0.28s exit status 1 93/161 lix:installcheck / functional-build-remote-content-addressed-fixed FAIL 0.35s exit status 1 94/161 lix:installcheck / functional-build-remote-content-addressed-floating FAIL 0.38s exit status 1 95/161 lix:installcheck / functional-build-remote-trustless-should-pass-0 FAIL 0.35s exit status 1 96/161 lix:installcheck / functional-build-remote-trustless-should-pass-1 FAIL 0.36s exit status 1 97/161 lix:installcheck / functional-build-remote-trustless-should-pass-2 FAIL 0.38s exit status 1 98/161 lix:installcheck / functional-build-remote-trustless-should-pass-3 FAIL 0.38s exit status 1 100/161 lix:installcheck / functional-build-remote-trustless-should-fail-0 FAIL 0.26s exit status 100 114/161 lix:installcheck / functional-supplementary-groups FAIL 0.14s exit status 1 115/161 lix:installcheck / functional-linux-sandbox FAIL 0.25s exit status 100 119/161 lix:installcheck / functional-shell FAIL 0.62s exit status 1 152/161 lix:installcheck / functional-nested-sandboxing FAIL 0.28s exit status 1 ``` ## Steps To Reproduce With AppArmor installed, set ``` sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1 sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1 ``` And run the test suite. Observe that the above tests fail with confusing output like ``` error: executing '/nix/store/c2ph7pk42aa8fa1diy74pkdjyj8qrd1d-busybox': No such file or directory ``` ## Expected behavior The tests should at least error out immediately when this incompatibility is noticed
vigress8 added the
bug
OS/Linux
testing/flakey
labels 2024-10-11 15:42:32 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#545
No description provided.