* [RFC container] setup: include /dev/tty[0-9] in apparmor console abstraction
@ 2026-06-22 16:43 Stoiko Ivanov
0 siblings, 0 replies; only message in thread
From: Stoiko Ivanov @ 2026-06-22 16:43 UTC (permalink / raw)
To: pve-devel
/etc/apparmor.d/abstractions/consoles have a rather limited set of
paths, which are considered as consoles, to allow programs to use
them. /dev/tty is included, while /dev/tty1 is not.
adding this addition fixes an issue reported in our community forum:
https://forum.proxmox.com/threads/184461/
with `dig` not working - the apparmor profile for `dig` was
added on 2025-02-07 to apparmor (and got a few fixes in the meantime):
https://gitlab.com/apparmor/apparmor/-/merge_requests/1525
I could not reproduce the issue on a VM with our kernel, and the
profile from Ubuntu added so I assume that the issue is specific to
running this in a lxc enviroment (and that lxd and Ubuntu use
different paths fro the console) - the denied operation based on the
audit log is file_inherit:
```
audit: type=1400 audit(1782146105.307:2279): apparmor="DENIED" \
operation="file_inherit" class="file" \
namespace="root//lxc-138_<-var-lib-lxc>" profile="dig" \
name="/dev/tty1" pid=822103 comm="dig" requested_mask="wr" \
denied_mask="wr" fsuid=100000 ouid=100000`
adding the additional paths on post_create should cover container
templates from other sources as well (compared to adding it explicitly
in our template). As the dig profile is a rather recent addition and
only present in our ubuntu 26.04 template afaict, I decided against
adding it on every container start.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
sending as RFC, as I was a bit surprised that this is not reproducible
with the same profile inside a VM - so I'm not sure I'm not missing
something obvious here.
src/PVE/LXC/Setup/Base.pm | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index f679558..2e782ca 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -600,6 +600,21 @@ sub clear_machine_id {
}
}
+sub set_apparmor_console_abstraction {
+ my ($self, $conf) = @_;
+
+ my $aa_console_path = "/etc/apparmor.d/abstractions/consoles";
+ my $aa_console_override = "/etc/apparmor.d/abstractions/consoles.d/pve-console-paths";
+
+ if ($self->ct_file_exists($aa_console_path)) {
+ my $contents = << "DATA";
+# PVE default console path is /dev/ttyX
+/dev/tty[0-9] rw,
+DATA
+ $self->ct_file_set_contents($aa_console_override, "$contents\n");
+ }
+}
+
# tries to guess the systemd (major) version based on the
# libsystemd-shared<version>.so linked with /sbin/init
sub get_systemd_version {
@@ -718,6 +733,7 @@ sub post_create_hook {
$self->clear_machine_id($conf);
$self->snakeoil_fixup($conf);
$self->template_fixup($conf);
+ $self->set_apparmor_console_abstraction($conf);
&$randomize_crontab($self, $conf);
--
2.47.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-22 16:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22 16:43 [RFC container] setup: include /dev/tty[0-9] in apparmor console abstraction Stoiko Ivanov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.