From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 0AC491FF153 for ; Mon, 22 Jun 2026 18:46:10 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2BFAB11934; Mon, 22 Jun 2026 18:46:08 +0200 (CEST) From: Stoiko Ivanov To: pve-devel@lists.proxmox.com Subject: [RFC container] setup: include /dev/tty[0-9] in apparmor console abstraction Date: Mon, 22 Jun 2026 18:43:56 +0200 Message-ID: <20260622164522.836988-1-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782146722431 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.084 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 63UAKDJIBVJRP73JFEKHLQMK7IK6Q47K X-Message-ID-Hash: 63UAKDJIBVJRP73JFEKHLQMK7IK6Q47K X-MailFrom: s.ivanov@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: /etc/apparmor.d/abstractions/consoles have a rather limited set of paths, which are considered as consoles, to allow programs to use them. /dev/tty is included, while /dev/tty1 is not. adding this addition fixes an issue reported in our community forum: https://forum.proxmox.com/threads/184461/ with `dig` not working - the apparmor profile for `dig` was added on 2025-02-07 to apparmor (and got a few fixes in the meantime): https://gitlab.com/apparmor/apparmor/-/merge_requests/1525 I could not reproduce the issue on a VM with our kernel, and the profile from Ubuntu added so I assume that the issue is specific to running this in a lxc enviroment (and that lxd and Ubuntu use different paths fro the console) - the denied operation based on the audit log is file_inherit: ``` audit: type=1400 audit(1782146105.307:2279): apparmor="DENIED" \ operation="file_inherit" class="file" \ namespace="root//lxc-138_<-var-lib-lxc>" profile="dig" \ name="/dev/tty1" pid=822103 comm="dig" requested_mask="wr" \ denied_mask="wr" fsuid=100000 ouid=100000` adding the additional paths on post_create should cover container templates from other sources as well (compared to adding it explicitly in our template). As the dig profile is a rather recent addition and only present in our ubuntu 26.04 template afaict, I decided against adding it on every container start. Signed-off-by: Stoiko Ivanov --- sending as RFC, as I was a bit surprised that this is not reproducible with the same profile inside a VM - so I'm not sure I'm not missing something obvious here. src/PVE/LXC/Setup/Base.pm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm index f679558..2e782ca 100644 --- a/src/PVE/LXC/Setup/Base.pm +++ b/src/PVE/LXC/Setup/Base.pm @@ -600,6 +600,21 @@ sub clear_machine_id { } } +sub set_apparmor_console_abstraction { + my ($self, $conf) = @_; + + my $aa_console_path = "/etc/apparmor.d/abstractions/consoles"; + my $aa_console_override = "/etc/apparmor.d/abstractions/consoles.d/pve-console-paths"; + + if ($self->ct_file_exists($aa_console_path)) { + my $contents = << "DATA"; +# PVE default console path is /dev/ttyX +/dev/tty[0-9] rw, +DATA + $self->ct_file_set_contents($aa_console_override, "$contents\n"); + } +} + # tries to guess the systemd (major) version based on the # libsystemd-shared.so linked with /sbin/init sub get_systemd_version { @@ -718,6 +733,7 @@ sub post_create_hook { $self->clear_machine_id($conf); $self->snakeoil_fixup($conf); $self->template_fixup($conf); + $self->set_apparmor_console_abstraction($conf); &$randomize_crontab($self, $conf); -- 2.47.3