Re: [pve-devel] [PATCH container] fix #5160: fix move_mount regression for mount point hotplug

[Filip Schauer <f.schauer@proxmox.com>]

On 25/03/2024 11:29, Fiona Ebner wrote:
> Am 08.01.24 um 14:54 schrieb Filip Schauer:
>> Set up an Apparmor profile to allow moving mounts for mount point
>> hotplug.
>>
>> This fixes a regression caused by
>> kernel commit 157a3537d6 ("apparmor: Fix regression in mount mediation")
>>
>> The commit introduced move_mount mediation, which now requires
>> move_mount to be allowed in the Apparmor profile. Although it is allowed
>> for most paths in the /usr/bin/lxc-start profile, move_mount is called
>> with a file descriptor instead of a path in mountpoint_insert_staged,
>> thus it is not affected by the allow rules in
>> /etc/apparmor.d/abstractions/lxc/container-base.
>>
> Would it be difficult/impossible for us to do it path-based instead?


A path-based approach would not work as things are right now, since we
use the file descriptor to issue a move_mount from within the
container's namespace, where we cannot access the staging directory with
a path.

>> To fix this, introduce a new Apparmor profile to allow move_mount on
>> every mount, specifically for mount point hotplug.
>>
>> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> Tested-by: Fiona Ebner <f.ebner@proxmox.com>
>
> Fixes the issue and makes hotplug work again :)
>
> However, I did run into one minor thing (number 1 below), but not sure
> if it can be improved. Except the part about the undef warning which is
> pre-existing. Another pre-existing issue I ran into is number 2 below,
> should also be investigated, but is not caused by this patch.
>
> 1.
>
> For an already running container, I got
>
>> mp0: unable to hotplug mp0: failed to change apparmor profile:
> after installing the patched pve-container package and attempting to
> hotplug. Maybe that's expected and no big deal, because hotplug already
> didn't work.
>
> Checking in the journal, it's:
>
>> AVC apparmor="DENIED" operation="change_profile" class="file" info="label not found" error=-2 profile="unconfined" name="pve-container-mounthotplug" pid=99919 comm=7076656461656D6F6E20776F726B65


This happens because the new apparmor profile
"pve-container-mounthotplug" is not loaded correctly in postinst.
This is fixed in v2.


>> Use of uninitialized value in numeric ne (!=) at /usr/share/perl5/PVE/LXC.pm line 1978.
> The latter warning seems to be pre-existing for the syswrite comparison
> below:
>
>> @@ -1974,7 +1974,7 @@ sub mountpoint_hotplug :prototype($$$$$) {
>>   	my $dir = get_staging_mount_path($opt);
>>   
>>   	# Now switch our apparmor profile before mounting:
>> -	my $data = 'changeprofile /usr/bin/lxc-start';
>> +	my $data = 'changeprofile pve-container-mounthotplug';
>>   	if (syswrite($aa_fd, $data, length($data)) != length($data)) {
>>   	    die "failed to change apparmor profile: $!\n";
>>   	}
>
> But then $! should be set according to 'perldoc -f syswrite' which it
> wasn't telling from my quoted error message above  ¯\_(ツ)_/¯
>
>> Returns the number of bytes actually
>>              written, or "undef" if there was an error (in this case the
>>              errno variable $! is also set)


A fix for the warning is in the v2.


> 2.
>
> After shutdown+start, the hotplug worked as expected. Played around a
> bit more and something strange happened with LVM as the storage: While
> it worked the first time, when I shut down the container, detached the
> mount point, started again and then tried to hot-plug, I got:
> mp1: unable to hotplug mp1: command 'mount /dev/lvm/vm-129-disk-1
> /var/lib/lxc/.pve-staged-mounts/mp1' failed: exit code 32
>
> Doesn't seem to happen with ZFS or directory storage and starting with
> the mount point pre-attached also worked fine with previously written
> files still there.
>
> Also booted into 6.2.16-20-pve, installed unpatched pve-container and it
> seems the issue was already present then.