X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Mon, 27 May 2024 14:56:01 +0000
Resent-Message-ID: <handler.71226.B.17168217414292 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 71226 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.17168217414292
(code B ref -1); Mon, 27 May 2024 14:56:01 +0000
Received: (at submit) by debbugs.gnu.org; 27 May 2024 14:55:41 +0000
Received: from localhost ([127.0.0.1]:45036 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sBbl2-00016x-MT
for submit <at> debbugs.gnu.org; Mon, 27 May 2024 10:55:41 -0400
Received: from lists.gnu.org ([209.51.188.17]:36152)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludovic.courtes@HIDDEN>) id 1sBbl0-00016p-H2
for submit <at> debbugs.gnu.org; Mon, 27 May 2024 10:55:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
id 1sBbkp-0006En-JU
for bug-guix@HIDDEN; Mon, 27 May 2024 10:55:15 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
id 1sBbkm-0004e6-Mh
for bug-guix@HIDDEN; Mon, 27 May 2024 10:55:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
h=from:to:subject:date:message-id:mime-version:
content-transfer-encoding;
bh=7cvm6rDTJ4T2ZA7b2o46NDuQOW8r6h1Q+mhb0y1Ivw4=;
b=rD34/5QAY3MilWbAftpQ530xja0/mUWunSABSge7WBzBpH9L8EtNdkDY
gn1p9RgthLVXl0RcEoN6ssdQvfj3ocQd5ZYWpsNUUA2nMgmpXIcUtfWGT
Sd0CbMlZTzvuVhjDMPnsOQdx0zgnwHcDMBGvEaM4xeMrCaZ/IN6ZI/+Ki Q=;
Authentication-Results: mail3-relais-sop.national.inria.fr;
dkim=none (message not signed) header.i=none;
spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.08,192,1712613600"; d="scan'208";a="88081985"
Received: from unknown (HELO ribbon) ([193.50.110.77])
by mail3-relais-sop.national.inria.fr with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 May 2024 16:55:08 +0200
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Nonidi 9 Prairial an 232 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Serpolet
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 27 May 2024 16:55:07 +0200
Message-ID: <87wmnfxq2c.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=192.134.164.104;
envelope-from=ludovic.courtes@HIDDEN;
helo=mail3-relais-sop.national.inria.fr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
On Ubuntu 24.04, =E2=80=98guix shell -C=E2=80=99 has its child process (in =
a separate
mount namespace) fail to mount a tmpfs:
--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=3DNULL, flags=3DCLONE_NEWNS|CLONE_NEWCGROUP|CLONE_=
NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) =3D 29=
4653
294642 close(15) =3D 0
294642 getuid() =3D 1000
294642 getgid() =3D 1000
294653 close(16) =3D 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC,=
0666 <unfinished ...>
294653 read(15, <unfinished ...>
294642 <... openat resumed>) =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR) =3D 0
294642 write(6, "deny", 4) =3D 4
294642 close(6) =3D 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0=
666) =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR) =3D 0
294642 write(6, "1000 1000 1", 11) =3D 11
294642 close(6) =3D 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0=
666) =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR) =3D 0
294642 write(6, "1000 1000 1", 11) =3D 11
294642 close(6) =3D 0
294642 write(16, "ready", 5) =3D 5
294653 <... read resumed>"r", 1) =3D 1
294642 write(16, "\n", 1) =3D 1
294653 read(15, "e", 1) =3D 1
294642 read(16, <unfinished ...>
294653 read(15, "a", 1) =3D 1
294653 read(15, "d", 1) =3D 1
294653 read(15, "y", 1) =3D 1
294653 read(15, "\n", 1) =3D 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) =3D -1=
EACCES (Permission denied)
294653 write(15, "(", 1) =3D 1
294642 <... read resumed>"(", 1) =3D 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---
(It used to work on Ubuntu 22.)
Ludo=E2=80=99.
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN> Subject: bug#71226: Acknowledgement (=?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04) Message-ID: <handler.71226.B.17168217414292.ack <at> debbugs.gnu.org> References: <87wmnfxq2c.fsf@HIDDEN> X-Gnu-PR-Message: ack 71226 X-Gnu-PR-Package: guix Reply-To: 71226 <at> debbugs.gnu.org Date: Mon, 27 May 2024 14:56:01 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 71226 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 71226: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71226 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: Upstream ubuntu issue
References: <87wmnfxq2c.fsf@HIDDEN>
In-Reply-To: <87wmnfxq2c.fsf@HIDDEN>
Resent-From: "W. J. van der Laan" <laanwj@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 30 May 2024 15:14:03 +0000
Resent-Message-ID: <handler.71226.B71226.17170820359405 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: "71226 <at> debbugs.gnu.org" <71226 <at> debbugs.gnu.org>
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.17170820359405
(code B ref 71226); Thu, 30 May 2024 15:14:03 +0000
Received: (at 71226) by debbugs.gnu.org; 30 May 2024 15:13:55 +0000
Received: from localhost ([127.0.0.1]:41768 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sChTW-0002RT-J4
for submit <at> debbugs.gnu.org; Thu, 30 May 2024 11:13:55 -0400
Received: from mail-40131.protonmail.ch ([185.70.40.131]:57859)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <laanwj@HIDDEN>) id 1sCgFV-0004Z6-Id
for 71226 <at> debbugs.gnu.org; Thu, 30 May 2024 09:55:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1717077304; x=1717336504;
bh=nS0PnhqsvgFHq8bp62NbWvm3I/+rxLfJd4Y6cJbIV0s=;
h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
b=SpDZtbatNhVXjKbrmWuJ1UL3uG71vKk2l71N3tdIeFEA25ICWvfVeB/nwv2cuqLTh
Oveh6zqya9CG4cBgLMGnPv6BPDTwYbugNIIxHrLA4qj9EbO1aK2v0ZZ9ZRZ3y1txu6
ZkaAkbXpvUCjF2Z9PNR7UqoSJOk+Xsi5gVW2GZqV9sJLBXEs19bYvuw4gvrQB/9x5M
5VwFx6BD3HBzBaQI9yVy6VSUPyFqMMSEP5ZDObLTzDHS3yA10NC2B1d0ETjIXGR24c
4LFj2Y1UoCV6cXXeLEkCsADALz08CJ5nHs0s6QsTt6fv+Zy7OMuyj1fipMIhiLyGzf
dtM0pHJXhGqXA==
Date: Thu, 30 May 2024 13:55:00 +0000
From: "W. J. van der Laan" <laanwj@HIDDEN>
Message-ID: <Sn74_O3hyBRgaAuRNzsGChHaX3U04QePJdd1g6twu5UsuZAoNS0Tw4wMfssJRaOwN-vHAw84cccW2TqRA8Fdx0eMCfIxWq0Xh8GwQLiN6SA=@protonmail.com>
Feedback-ID: 591568:user:proton
X-Pm-Message-ID: 61ebfcf104e22f77a307c295207181e4c3e9094a
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Mailman-Approved-At: Thu, 30 May 2024 11:13:53 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Upstream ubuntu issue (includes possible workaround):=C2=A0https://bugs.lau=
nchpad.net/ubuntu/+source/guix/+bug/2064115
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
References: <87wmnfxq2c.fsf@HIDDEN>
In-Reply-To: <87wmnfxq2c.fsf@HIDDEN>
Resent-From: Ricardo Wurmus <rekado@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 04 Jul 2024 13:06:01 +0000
Resent-Message-ID: <handler.71226.B71226.17200983401817 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 71226 <at> debbugs.gnu.org
Cc: ludo@HIDDEN
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.17200983401817
(code B ref 71226); Thu, 04 Jul 2024 13:06:01 +0000
Received: (at 71226) by debbugs.gnu.org; 4 Jul 2024 13:05:40 +0000
Received: from localhost ([127.0.0.1]:41775 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1sPM9c-0000TF-2f
for submit <at> debbugs.gnu.org; Thu, 04 Jul 2024 09:05:40 -0400
Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21162)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <rekado@HIDDEN>) id 1sPM9Z-0000T5-VP
for 71226 <at> debbugs.gnu.org; Thu, 04 Jul 2024 09:05:38 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1720098323; cv=none;
d=zohomail.com; s=zohoarc;
b=fmHsHsLmM5U12hb7CFfTehhGXzbWwNBFDUGcTqXU9TF/AvHWEwe7TEiA5TsqKoOhJuSgb5j22Jslgx2ZHwp5BuEowxe/50gYSQcoXzfTtw5x/Tb48bh9FJJT5nux9QyPJMxcBprDM5jSMXN5VwMO/m7FT4FrnMJdUh+ucvRV24w=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
s=zohoarc; t=1720098323;
h=Content-Type:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=;
b=Hqqg2Ks9SXgOnSrmhM5D6AEGwM/I/mFSpLFiGJJCypNVONHAyl9O624rPRBm7gNHMOjz8f2GqVCk1zlghDmmpIvk/YGNPWILPhY/DIAMhC0cWpSgu8/rxgQ+kawt15dRTLnnLPwuX2Pujo89Lh/VGybW5+jw/TQFEWno4MTHFmk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
dkim=pass header.i=elephly.net;
spf=pass smtp.mailfrom=rekado@HIDDEN;
dmarc=pass header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1720098323;
s=zoho; d=elephly.net; i=rekado@HIDDEN;
h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To;
bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=;
b=T0GkCRv88Rz5rbMmqM2Ugewzi3Ksr9HRMk9GuCx8Wr0kFJCApJoc9YIcD2BiElSJ
8Q2FcuNkIXfB/jxZvVz7LA9Df0Ak9QtFOEI9nrhsAZx901m6tFt4CoLOTSdm4UzIbL3
9Lj4x9kLuBWBL3uCnJWroqcibVy54+qOdlqV1LxM=
Received: by mx.zohomail.com with SMTPS id 1720098321702143.2912667156312;
Thu, 4 Jul 2024 06:05:21 -0700 (PDT)
From: Ricardo Wurmus <rekado@HIDDEN>
Date: Thu, 04 Jul 2024 15:05:17 +0200
Message-ID: <87plrttiia.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:
--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,
include <tunables/global>
/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces
# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,
pivot_root,
/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,
# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,
allow userns,
}
--8<---------------cut here---------------end--------------->8---
I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
shell -CN hello" worked fine.
To refine this policy I used the following process:
1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat
We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.
I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.
--
Ricardo
Received: (at control) by debbugs.gnu.org; 15 Oct 2024 12:03:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 08:03:36 2024 Received: from localhost ([127.0.0.1]:54345 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1t0gH2-0007DA-Gh for submit <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:03:36 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:3541) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1t0gH0-0007Cu-QX for control <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:03:35 -0400 Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@HIDDEN; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="6.11,205,1725314400"; d="scan'208";a="188927004" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Oct 2024 14:03:10 +0200 Date: Tue, 15 Oct 2024 14:03:10 +0200 Message-Id: <87wmi9zi81.fsf@HIDDEN> To: control <at> debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> Subject: control message for bug #71226 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) severity 71226 important quit
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Tue, 15 Oct 2024 12:09:02 +0000
Resent-Message-ID: <handler.71226.B71226.172899409828558 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Ricardo Wurmus <rekado@HIDDEN>
Cc: 71226 <at> debbugs.gnu.org
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.172899409828558
(code B ref 71226); Tue, 15 Oct 2024 12:09:02 +0000
Received: (at 71226) by debbugs.gnu.org; 15 Oct 2024 12:08:18 +0000
Received: from localhost ([127.0.0.1]:54356 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1t0gLZ-0007QX-Hb
for submit <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:08:17 -0400
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:3965)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludovic.courtes@HIDDEN>) id 1t0gLW-0007QH-TH
for 71226 <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:08:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
h=from:to:cc:subject:in-reply-to:references:date:
message-id:mime-version:content-transfer-encoding;
bh=kbAtMvlNnESVF3/TUIwRqfE4lFv2w/T1widswNoN/zg=;
b=naAp7JBrcwZiS+Z40uv4Gy24olKljZd0FtyRatbLtkh/3qylI4xjDhgJ
h15Q82XPP9WevOYGXFAdAW/76mpsyfLDhWi2oE1nTQ9CdeK7uOJem/QFT
RUfTJuoOaL8/QdxPl1NwgcRWdbp4vXrb+VEFsptd0HdLvQePMYDD5K6qI 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
dkim=none (message not signed) header.i=none;
spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.11,205,1725314400"; d="scan'208";a="188928221"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
by mail2-relais-roc.national.inria.fr with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Oct 2024 14:07:51 +0200
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
In-Reply-To: <87plrttiia.fsf@HIDDEN> (Ricardo Wurmus's message of "Thu,
04 Jul 2024 15:05:17 +0200")
References: <87wmnfxq2c.fsf@HIDDEN> <87plrttiia.fsf@HIDDEN>
Date: Tue, 15 Oct 2024 14:07:50 +0200
Message-ID: <87sesxzi09.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi Ricardo and all,
Ricardo Wurmus <rekado@HIDDEN> skribis:
> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:
[...]
> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container". "guix shell -C hello" and "guix
> shell -CN hello" worked fine.
This issue is informally reported quite frequently these days.
Can someone on Ubuntu having this problem confirm that it works for
them?
And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
=E2=80=98etc/guix-install.sh=E2=80=99 to perform the above setup step on Ap=
parmor
distros, similar to how SELinux is handled.
That=E2=80=99d be a much appreciated contribution!
Thanks,
Ludo=E2=80=99.
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
References: <87wmnfxq2c.fsf@HIDDEN>
In-Reply-To: <87wmnfxq2c.fsf@HIDDEN>
Resent-From: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Fri, 20 Dec 2024 04:47:03 +0000
Resent-Message-ID: <handler.71226.B71226.17346699713214 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 71226 <at> debbugs.gnu.org
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.17346699713214
(code B ref 71226); Fri, 20 Dec 2024 04:47:03 +0000
Received: (at 71226) by debbugs.gnu.org; 20 Dec 2024 04:46:11 +0000
Received: from localhost ([127.0.0.1]:41213 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tOUtu-0000pj-C2
for submit <at> debbugs.gnu.org; Thu, 19 Dec 2024 23:46:10 -0500
Received: from osiris.lip6.fr ([132.227.60.30]:53209)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <marek.felsoci@HIDDEN>) id 1tOJN1-00008Z-CA
for 71226 <at> debbugs.gnu.org; Thu, 19 Dec 2024 11:27:28 -0500
Received: from poleia.lip6.fr (poleia.lip6.fr [132.227.201.8])
by osiris.lip6.fr (8.16.1/8.16.1) with ESMTP id 4BJGQuk4002785
for <71226 <at> debbugs.gnu.org>; Thu, 19 Dec 2024 17:26:56 +0100 (CET)
Received: from [132.227.80.165] (portable9810.wifi.calsci.lip6.fr
[132.227.80.165])
by poleia.lip6.fr (Postfix) with ESMTPSA id 1B40D32AE51
for <71226 <at> debbugs.gnu.org>; Thu, 19 Dec 2024 17:26:56 +0100 (CET)
From: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Message-ID: <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
Date: Thu, 19 Dec 2024 17:26:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0 SeaMonkey/2.53.19
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
(osiris.lip6.fr [132.227.60.30]); Thu, 19 Dec 2024 17:26:56 +0100 (CET)
X-Scanned-By: MIMEDefang 3.4.1 on 132.227.60.30
X-Spam-Score: -2.3 (--)
X-Mailman-Approved-At: Thu, 19 Dec 2024 23:46:08 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hello to all,
I confirm the issue on my Ubuntu 24.04 installation with Guix coming from apt
repositories.
I followed the steps from the Ricardo's reply, but the problem persists with the
same error:
```
guix shell: chyba: mount: mount "none" on "/tmp/guix-directory.DFemEr": Prístup
odmietnutý
```
Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
Have there been any new developments regarding this issue?
PS: My current Guix generation is based on the commit c3290ce of the official
Guix channel.
Thank you very much!
Best regards,
Marek
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 09 Jan 2025 14:13:03 +0000
Resent-Message-ID: <handler.71226.B71226.17364319656501 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.17364319656501
(code B ref 71226); Thu, 09 Jan 2025 14:13:03 +0000
Received: (at 71226) by debbugs.gnu.org; 9 Jan 2025 14:12:45 +0000
Received: from localhost ([127.0.0.1]:51237 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tVtH9-0001gl-Tq
for submit <at> debbugs.gnu.org; Thu, 09 Jan 2025 09:12:44 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:36051)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ludovic.courtes@HIDDEN>)
id 1tVtH5-0001gO-OV
for 71226 <at> debbugs.gnu.org; Thu, 09 Jan 2025 09:12:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
h=from:to:cc:subject:in-reply-to:references:date:
message-id:mime-version:content-transfer-encoding;
bh=2dUdr7Bb8WmVQHG51rcXO6iSxjDNVF9h5k1udcEK02M=;
b=C8DOS5cap9VfYWIyDIw4OMTsksylLduuTxpNV5VrwyMP2n3K9v1Dogkv
sEQQAlsHrV+Y3FhSzc/s0zqMmCjO1R7GXYwZYTL/FkqHFLzm90NIlKkwz
m+E+uUsxILvwUQwng4iNYk3FG14r+NCoBw+ltCP3Cfdxg9Pw5LLP5khLx 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
dkim=none (message not signed) header.i=none;
spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.12,301,1728943200"; d="scan'208";a="202280316"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
by mail2-relais-roc.national.inria.fr with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2025 15:12:33 +0100
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
In-Reply-To: <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> ("Marek
=?UTF-8?Q?Fel=C5=A1=C3=B6ci?="'s
message of "Thu, 19 Dec 2024 17:26:54 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
<0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
Date: Thu, 09 Jan 2025 15:12:32 +0100
Message-ID: <87h668oz3j.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi Marek!
Marek Fel=C5=A1=C3=B6ci <marek.felsoci@HIDDEN> skribis:
> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
> from apt repositories.
>
> I followed the steps from the Ricardo's reply, but the problem
> persists with the same error:
>
> ```
> guix shell: chyba: mount: mount "none" on
> "/tmp/guix-directory.DFemEr": Pr=C3=ADstup odmietnut=C3=BD
> ```
>
> Note that in the above message 'Pr=C3=ADstup odmietnut=C3=BD' means 'Acce=
ss denied'.
>
> Have there been any new developments regarding this issue?
No! I guess Ricardo was on the right track but this probably needs more
testing and polishing.
Is there additional info you can get by running =E2=80=9Cdmesg=E2=80=9D or =
something
like that?
Thanks,
Ludo=E2=80=99.
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
Resent-From: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 09 Jan 2025 22:09:01 +0000
Resent-Message-ID: <handler.71226.B71226.1736460515956 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludovic.courtes@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.1736460515956
(code B ref 71226); Thu, 09 Jan 2025 22:09:01 +0000
Received: (at 71226) by debbugs.gnu.org; 9 Jan 2025 22:08:35 +0000
Received: from localhost ([127.0.0.1]:54788 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tW0he-0000FJ-Pd
for submit <at> debbugs.gnu.org; Thu, 09 Jan 2025 17:08:35 -0500
Received: from osiris.lip6.fr ([2001:660:3302:283c::1e]:61722)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <marek.felsoci@HIDDEN>)
id 1tW0hc-0000F3-JY
for 71226 <at> debbugs.gnu.org; Thu, 09 Jan 2025 17:08:33 -0500
Received: from poleia.lip6.fr (poleia.lip6.fr [132.227.201.8])
by osiris.lip6.fr (8.18.1/8.16.1) with ESMTP id 509M8S5G010157;
Thu, 9 Jan 2025 23:08:28 +0100 (CET)
Received: from [10.30.216.145] (unknown [193.52.24.28])
by poleia.lip6.fr (Postfix) with ESMTPSA id 21C9E32AE60;
Thu, 9 Jan 2025 23:08:28 +0100 (CET)
References: <87wmnfxq2c.fsf@HIDDEN>
<0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> <87h668oz3j.fsf@HIDDEN>
From: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Message-ID: <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN>
Date: Thu, 9 Jan 2025 23:08:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0 SeaMonkey/2.53.19
MIME-Version: 1.0
In-Reply-To: <87h668oz3j.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
(osiris.lip6.fr [132.227.60.30]); Thu, 09 Jan 2025 23:08:29 +0100 (CET)
X-Scanned-By: MIMEDefang 3.4.1 on 132.227.60.30
X-Spam-Score: -4.6 (----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.6 (-----)
Hi Ludovic!
I ran the following Guix command
```
guix shell -C bash -- bash
```
and got these two entries in `dmesg` log.
```
[46999.292835] audit: type=1400 audit(1736460233.024:325): apparmor="AUDIT"
operation="userns_create" class="namespace" info="Userns create - transitioning
profile" profile="unconfined" pid=190176 comm="guix" requested="userns_create"
target="unprivileged_userns"
[46999.297993] audit: type=1400 audit(1736460233.029:326): apparmor="DENIED"
operation="mount" class="mount" info="failed mntpnt match" error=-13
profile="unprivileged_userns" name="/tmp/guix-directory.BpSImx/" pid=190193
comm="guix" fstype="tmpfs" srcname="none"
```
Is it of any help? Is there something else I should have a look at?
Thanks,
Marek.
Ludovic Courtès napísal(a) dňa 9. 1. 2025 o 15:12:
> Hi Marek!
>
> Marek Felšöci <marek.felsoci@HIDDEN> skribis:
>
>> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
>> from apt repositories.
>>
>> I followed the steps from the Ricardo's reply, but the problem
>> persists with the same error:
>>
>> ```
>> guix shell: chyba: mount: mount "none" on
>> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
>> ```
>>
>> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>>
>> Have there been any new developments regarding this issue?
> No! I guess Ricardo was on the right track but this probably needs more
> testing and polishing.
>
> Is there additional info you can get by running “dmesg” or something
> like that?
>
> Thanks,
> Ludo’.
X-Loop: help-debbugs@HIDDEN
Subject: bug#71226: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99_?= =?UTF-8?Q?doesn=E2=80=99t?= work on Ubuntu 24.04
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Fri, 10 Jan 2025 16:38:02 +0000
Resent-Message-ID: <handler.71226.B71226.173652706112946 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 71226
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek.felsoci@HIDDEN>
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
Received: via spool by 71226-submit <at> debbugs.gnu.org id=B71226.173652706112946
(code B ref 71226); Fri, 10 Jan 2025 16:38:02 +0000
Received: (at 71226) by debbugs.gnu.org; 10 Jan 2025 16:37:41 +0000
Received: from localhost ([127.0.0.1]:58536 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tWI0z-0003Mk-3S
for submit <at> debbugs.gnu.org; Fri, 10 Jan 2025 11:37:41 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42502)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tWI0x-0003MX-KS
for 71226 <at> debbugs.gnu.org; Fri, 10 Jan 2025 11:37:40 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1tWI0r-00010Y-8e; Fri, 10 Jan 2025 11:37:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=aSidXpw2YfdMlX6UjlWyBteOIzHIY30/WJtJ1i9ns9c=; b=qtL67mk8PPTimolOiI80
E4eSzxh+tGSPOcQBYBpvanfrKIE107uvOEExjXKJu/jttbYOXzdayoGcpLNN2ykdvlMXAjj+81HFV
DleS6l2pMxgTJ2Ng0dj7fXFdVwmc5Hm/WphjCEogy/cps8m8+HUiJQ9oe5dkLEXVbp+Oms7bdnOTH
TAj/p6q0BRbfRiIB95u10fuUldyXEBqSa/KevXgb1KB3WdiAaxu2Rd5wG7+B/n2OVF1TG+hCpsV9N
HdTsXb5BvU2nBlCZ3WvJO+h3BfNxa575WDNKIVcJqLu6tWk1/VbwdAzoGITklV7aOUmw4k2dY0rER
Ix5uuz4IRFN6eg==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN> ("Marek
=?UTF-8?Q?Fel=C5=A1=C3=B6ci?="'s
message of "Thu, 9 Jan 2025 23:08:24 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
<0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
<87h668oz3j.fsf@HIDDEN>
<f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN>
Date: Fri, 10 Jan 2025 17:37:29 +0100
Message-ID: <87ed1amxpy.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello!
I believe the attached AppArmor profile should work. You need to:
1. Drop it in /etc/apparmor.d/guix (it=E2=80=99s actually not specific to
=E2=80=98guix shell -C=E2=80=99 since it matches any =E2=80=98guix=E2=
=80=99 command!).
2. Run =E2=80=9Capparmor_parser -rv /etc/apparmor.d/guix=E2=80=9D.
And then you can check =E2=80=9Cguix build whatever=E2=80=9D and =E2=80=9Cg=
uix shell -C hello=E2=80=9D.
Note that AppArmor is stateful: it memorizes previous rules (=E2=80=9Cprofi=
les=E2=80=9D)
and it=E2=80=99s not entirely clear how to remove them, especially when the=
re=E2=80=99s
no profile name.
So perhaps you=E2=80=99ll want to reboot if in doubt.
Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
well.
If you can confirm, we can add it to the repo and have =E2=80=98guix-instal=
l.sh=E2=80=99
install it.
Ludo=E2=80=99.
--=-=-=
Content-Type: text/plain
Content-Disposition: inline; filename=guix.apparmor
abi <abi/3.0>,
include <tunables/global>
profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
capability net_admin, # for "guix shell -CN"
capability sys_admin, # for clone
capability sys_ptrace, # for user namespaces
# Allow preparing file systems inside the container root
mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
umount /real-root/,
pivot_root,
# 'guix substitute' is responsible for deduplicating files that it downloads
# so it needs to be able to create links in /gnu/store/.links.
link /gnu/store/.links/** -> /gnu/store/**,
# Note: This also needs to provide permissions for 'guix substitute',
# which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.
/etc/nsswitch.conf r,
/etc/passwd r,
/gnu/store/** r,
/gnu/store/**/** r,
/gnu/store/*-guix-*/etc/ld.so.cache r,
/gnu/store/*-guix-*/libexec/guix/guile ix,
/gnu/store/*/bin/* mrix,
/gnu/store/*/lib/**.so** mr,
/gnu/store/*/lib/lib*.so* mr,
/gnu/store/*/libexec/** ix,
/gnu/store/*/sbin/* mrix,
/tmp/ rw,
/tmp/guix-directory** rw,
/var/guix/** r,
/var/guix/daemon-socket/socket rw,
@{PROC}/*/ns/net rw,
@{PROC}/*/ns/user rw,
@{PROC}/@{pid}/** rw,
@{PROC}/self/ rw,
@{PROC}/self/** rw,
@{PROC}/sys/kernel/unprivileged_userns_clone rw,
# These are permissions inside the container after pivot root
owner / w,
owner /bin/ w,
owner /bin/sh w,
owner /etc/ w,
owner /etc/group w,
owner /etc/group.* r,
owner /etc/group.* w,
owner /etc/hosts w,
owner /etc/passwd rw,
owner /etc/passwd.* r,
owner /etc/passwd.* w,
owner /home/*/* ra,
owner /home/*/.cache/guix/profiles/ r,
owner /home/*/.cache/guix/profiles/* w,
owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
owner /real-root/ w,
allow userns,
}
--=-=-=--
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.