GNU bug report logs - #71226
‘guix shell -C’ doesn’t work on Ubuntu 24.04

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 4 Jul 2025 07:30:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jul 04 03:30:37 2025
Received: from localhost ([127.0.0.1]:56336 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uXasW-0007YS-Pn
	for submit <at> debbugs.gnu.org; Fri, 04 Jul 2025 03:30:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60568)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1uXasT-0007WH-D2
 for 71226 <at> debbugs.gnu.org; Fri, 04 Jul 2025 03:30:34 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1uXasM-0000DR-Mp; Fri, 04 Jul 2025 03:30:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=K+6JuvP6TcjQJilQbNXiuGjCYny4bfu2EfrjNECYLJI=; b=UWmFfaiPTiyA1007FkEO
 DlzW0ThKFU/dMI28GRP5Agkd/LHLkzxLj/dKox5VCTorrK+rPJShC28/7GxhxQW/Qo+QbjPL/560n
 Biu/yLyXYteTKy2Lg+sLXVb8fBS6FhHhbeHzgEQ+B6k00H8Ki6vIHv0Nd3ZGD1ZIGMNpWROQp7Hy+
 XyKU4oMlkILZCD3NZEOyqGISXOZSAm2ANCCzd5HancGWG7hJqrOxLGRK39TylBRaEVR7tVU+p/5Ei
 KE2raf0vR9lkmdrMa7rGgJShk+sDnRjnBRQ/O58V6q2zsPsrW7BwKDzwEcu6qsTehkvelU0hclsXv
 RjWuLyT0oPIIOg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: "nomike (they/them)" <nomike@HIDDEN>, Liliana Prikler
 <liliana.prikler@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <2644a8fa-cef1-4766-afc2-2c1efdfca93d@HIDDEN>
 (nomike@HIDDEN's message of "Mon, 26 May 2025 22:28:12 +0200")
References: <87wmnfxq2c.fsf@HIDDEN>
 <2644a8fa-cef1-4766-afc2-2c1efdfca93d@HIDDEN>
User-Agent: mu4e 1.12.11; emacs 30.1
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Sextidi 16 Messidor an 233 de la =?utf-8?Q?R=C3=A9vo?=
 =?utf-8?Q?lution=2C?= jour du Tabac
Date: Fri, 04 Jul 2025 09:29:49 +0200
Message-ID: <87y0t4pg5u.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
Cc: 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello,

"nomike (they/them)" <nomike@HIDDEN> writes:

> I've just filed a patch to the apparmor package maintainers for adding
> a guix profile to their package:
>
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111753
>
> Was quite a challenge to figure out how to do this, at least compared
> to what I'm used to with guix...

Nice, thanks nomike and Liliana for working on this!

While you=E2=80=99re at it, could you propose the relevant AppArmor profile=
 for
inclusion in Guix proper?  It would be ideal if =E2=80=98etc/guix-install.s=
h=E2=80=99
would install it automatically on systems where AppArmor is enabled,
similar to how it handles SELinux.

Thanks,
Ludo=E2=80=99.

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 26 May 2025 20:28:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 26 16:28:21 2025
Received: from localhost ([127.0.0.1]:60510 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uJeQn-0005rU-9H
	for submit <at> debbugs.gnu.org; Mon, 26 May 2025 16:28:21 -0400
Received: from buffalo.tulip.relay.mailchannels.net ([23.83.218.24]:42577)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <nomike@HIDDEN>) id 1uJeQk-0005rC-Dl
 for 71226 <at> debbugs.gnu.org; Mon, 26 May 2025 16:28:19 -0400
X-Sender-Id: dreamhost|x-authsender|nomike@HIDDEN
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 660C0266AE
 for <71226 <at> debbugs.gnu.org>; Mon, 26 May 2025 20:28:16 +0000 (UTC)
Received: from pdx1-sub0-mail-a225.dreamhost.com
 (100-122-100-82.trex-nlb.outbound.svc.cluster.local [100.122.100.82])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 981232659D
 for <71226 <at> debbugs.gnu.org>; Mon, 26 May 2025 20:28:15 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1748291295; a=rsa-sha256;
 cv=none;
 b=Mb7gbMST7b11pm1Oh7IoBLQ9GkTok5BhtZFXiuIDz/LRVYhAGvN8X8iEc3vZCPuhPBFr01
 kn/CwARZvInVqAhWn77+HMA32OlUEYFT8+yStQBbtpJmvLVB8KnxwYdHJYcIEj6sJUtJHC
 VKtOOA8SaGOXv3Zh6wrGIWZiU1g7RMU63nAR9Gisvm0S0+rrHRscjyoifwAFib5qNvH4QE
 SdRL+vuX/g31NC3gXp+tzLhj3aDYeHcytj+bwZxulLHtd07Lh9Yaamr/Z/HqvfSPprV8A6
 I/ZH7wJq14P/SUnahjDRb6JAqGkmzy38pnrx5nlM9huXJRMQoHIOfKkQWAesHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1748291295;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:dkim-signature:autocrypt:autocrypt;
 bh=WT3gpKZaGKogu0mDSC2Sk4EaKAAFYpyfqCqJs+KH/zc=;
 b=DaYBJrsD9JYIWtReRo1n1dq0A3xbHQ3amxOdD9nBXsRV9GFGyPc9k/SOesSrgmLpHt1zNO
 es20kQrVzdAL4Wl47jlCJZSJMK6pmjn5bJ7r1+rh2a5reKC6u9yFEce2D/MwAWtpmJF/+m
 9uvVO/NvPij4K4InqAe9H3LR98NvkUZqsC+AvD1t80F3JV3h1oSCW46a3tfgHQiYfqFzRR
 7HKrwVpmVko+qvI9tduUaWuQWdmVb5tfKW2DMhPVvysUD037zjVjzxNz3RImdlbRh+9jzo
 VRNLCjtzTmNw+FigKndITMM3BupGMBaSrBquhR9ijrt+BQ1jp4DbA3CUAcHj4Q==
ARC-Authentication-Results: i=1; rspamd-766f9cfddb-tm5c8;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=nomike@HIDDEN
X-Sender-Id: dreamhost|x-authsender|nomike@HIDDEN
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nomike@HIDDEN
X-MailChannels-Auth-Id: dreamhost
X-Ruddy-Eight: 188900c660b1e89d_1748291296212_1471467246
X-MC-Loop-Signature: 1748291296212:2764766854
X-MC-Ingress-Time: 1748291296212
Received: from pdx1-sub0-mail-a225.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.122.100.82 (trex/7.0.3); Mon, 26 May 2025 20:28:16 +0000
Received: from [10.31.0.156] (84-112-221-106.cable.dynamic.surfer.at
 [84.112.221.106])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: nomike@HIDDEN)
 by pdx1-sub0-mail-a225.dreamhost.com (Postfix) with ESMTPSA id 4b5nQR0kztzVJ
 for <71226 <at> debbugs.gnu.org>; Mon, 26 May 2025 13:28:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomike.com;
 s=dreamhost; t=1748291295;
 bh=WT3gpKZaGKogu0mDSC2Sk4EaKAAFYpyfqCqJs+KH/zc=;
 h=Date:To:Subject:From:Content-Type:Content-Transfer-Encoding;
 b=pa/kTn6etgK4K8XhfYOafvKOj2yfxcHKEqrpHdezv5HNKiD5ha7W9ahBZUSxT4WWE
 n8AXTwZlE3VpiMRTYPS+5S2xqzZIJk194KeE5rpWyOa3YylhMDsXiUKu9syBOZPtfX
 3BWfqLN04ksihZc7tQj/3uTRehAFFDCEri9K5VINudqjpaO243Nb4GoFYaWsOQHwGd
 b+lAeuJBiJgqEOqcsL6s8zn+ru0GhSaKm5PhGpUjRTuXccgkT51Gt4F9khkXExDfEf
 uYeZoB8iJI2Z6mECu7gqOpSG+o/GXbFT82nY7SfSjvWnvQ/LMqkco5/OduFipfOL6B
 jQrPQp51OqYQg==
Message-ID: <2644a8fa-cef1-4766-afc2-2c1efdfca93d@HIDDEN>
Date: Mon, 26 May 2025 22:28:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: 71226 <at> debbugs.gnu.org
Subject: =?UTF-8?B?4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2VzbuKAmXQgd29yayBvbiBVYnVu?=
 =?UTF-8?Q?tu_24=2E04?=
Content-Language: en-US
From: "nomike (they/them)" <nomike@HIDDEN>
Autocrypt: addr=nomike@HIDDEN; keydata=
 xjMEZ+8bGhYJKwYBBAHaRw8BAQdAnX/6ThbmnmGYDNklZjA0bz600QNUdP+ajuwTe4TVe4PN
 L25vbWlrZSBQb3N0bWFubiAodGhleS90aGVtKSA8bm9taWtlQG5vbWlrZS5jb20+wpkEExYK
 AEECGwMFCQWjmoACHgcCF4AWIQRDQfMGyihCx53NO0tbWPztpJIHVwUCZ+8vPgULCQgHAgIi
 AgYVCgkICwIEFgIDAQAKCRBbWPztpJIHV6A3APoCTSYs7uR0ZoxGMoEFdDUdgbdmPFNZSNoA
 3J5js9FQwgD/UUGwD9PCILmGZTeyG1BmUUFIDshW/NlKtgzc38AeRQ3OOARn7xsaEgorBgEE
 AZdVAQUBAQdAQYFr4LDmq9tDyrJ1hmbnQ18nN/TEzmM+X0Dc84f+51UDAQgHwn4EGBYKACYW
 IQRDQfMGyihCx53NO0tbWPztpJIHVwUCZ+8bGgIbDAUJBaOagAAKCRBbWPztpJIHV549AQCo
 MLaLPJ8OhIRvEJkvS2nVEn+D/DKG7bxxbyvB5gwaqgEA3aVP643HUqWDp2u9q+57SCycExVI
 mOW3VG9jxDNJlAc=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I've just filed a patch to the apparmor package maintainers for adding a 
guix profile to their package:

https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111753

Was quite a challenge to figure out how to do this, at least compared to 
what I'm used to with guix...

cheers

nomike

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 26 Apr 2025 12:22:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 26 08:22:39 2025
Received: from localhost ([127.0.0.1]:59116 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u8eYJ-0007Zp-0R
	for submit <at> debbugs.gnu.org; Sat, 26 Apr 2025 08:22:39 -0400
Received: from mail-wm1-x341.google.com ([2a00:1450:4864:20::341]:43010)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <liliana.prikler@HIDDEN>)
 id 1u8eYF-0007ZQ-74
 for 71226 <at> debbugs.gnu.org; Sat, 26 Apr 2025 08:22:36 -0400
Received: by mail-wm1-x341.google.com with SMTP id
 5b1f17b1804b1-43cf680d351so24827385e9.0
 for <71226 <at> debbugs.gnu.org>; Sat, 26 Apr 2025 05:22:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1745670149; x=1746274949; darn=debbugs.gnu.org;
 h=mime-version:user-agent:content-transfer-encoding:references
 :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
 :message-id:reply-to;
 bh=/hdL3TGQyvKIyALfklq3D/IJcFlDrDKnhlcvK/ESweU=;
 b=OXk0T3SOpJ+az3+kPbIlKAGB/QhTlGWx5aMv2BC/Vx1baTbpdg+oFmKfT1agi/t71w
 z/AUwYSXERfTIl9oQlbbLuUITXlC+zpjFRyUYRSPIMgMnLmMn6KfDpwIY7xt/FM1La/l
 XzDCwWBk/KTJso8bhdLmoDSKRf7iZXcgXMdk4zLUevaXSZUSrr/e+XXuzEKxzMyTcWJI
 5Zj99bCYgqFjBfbGBS9m1Mrw9+zJPDjQRvi/e+OxZDQJNk86vfQaAxmObMq8n2e5oJ6i
 VJz+o35iy/dWpHKb1zJPp2pQDV8WgmPMM6JnPvC6CTth6/Se5KMQTbkg/Vnr+OYe+iHt
 FTmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1745670149; x=1746274949;
 h=mime-version:user-agent:content-transfer-encoding:references
 :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=/hdL3TGQyvKIyALfklq3D/IJcFlDrDKnhlcvK/ESweU=;
 b=fhRziBVcviGdRf66WWuWnYNHgXJo3KmRaE5XrHQo+WRr01BcqCq2GeOXtEApSsyKRc
 TROtLtTEEc0YvlJa4/5kwfEZImr4RFLm3w2S1ksADuZHI8KaVI9tplh5HJ30e8gnSdLi
 9GMpvlF9i7r9x8XVR3ci6kH6gdCxoPAq7bGfU1DTBqXOFfGAhPUR7MqsAjEjz5KmMQxu
 90pNykIvf8LviYbli46yYXhQCu/NMrN9X9kqiXzmr7tKxYerzMQoLgMHgfKx61peJvXA
 hArMKtiy2Ga3oYd8+fXEN3+EZy8IQKqODAqcMJPUVBa8SQtnzo88U8X8g4J7t1Q8yGX7
 obSQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUQqlU8l/7Y8ZU+iiXUjsWMNi6aSwV1lidbYUTFN48qgWZFaRRoeozapMxfnejQ1VdFqr2+aQ==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YyhlYa7620CN+xLBGWfWO+iwbtlkJ2D4tKiyqneexz9KW/BgXIh
 wP4dMaZLe108114jf7lC/BKELnbgu0mhG79T0FON00bGbCq1CRdX
X-Gm-Gg: ASbGncul+IX3GTD9q4hcB/X6YOyLGll5a8y71JISmK8SJEKfpuTasv3ooPO3eEdGarr
 nn0OLFxAXbw8GSllJBlVDXh0h9cdD3g2pzDyueMTAxLkMdjodwKst1ojjT+8ypD30N4Iz0TtfO9
 gIRzrfJZbGmASeZ568nyeS3JjWIQjtf+BwwHwGzkWYt7P/BszTWEb/CNYutTEcTlgFSiSmIg/bW
 amK/uyd/hSF6LoFLrScy6C2cBOob0KvXr2AFj7/7TZQkt7kCFVqmVTAhVyk4dVLB8ZdGAaJ/HaH
 /Kg+6ZSQSgth8gtF7sYwHcFET61fnBPh5o3YKfoHcPlzvvec3LOuERNIqXxagGMx7TY38CxaQKD
 RqlDIv5nxxX1FT0GY
X-Google-Smtp-Source: AGHT+IEq33O7cXdP0hLUg3JtHjfTiCsFe6NAMzzfPZD6/0NJEnPY6hEUWI4SKlr4eBAtOl+3h2hGYQ==
X-Received: by 2002:adf:9c93:0:b0:3a0:7a7c:3a62 with SMTP id
 ffacd0b85a97d-3a07a7c3a92mr1703008f8f.9.1745670148623; 
 Sat, 26 Apr 2025 05:22:28 -0700 (PDT)
Received: from lumine.fritz.box (85-127-114-32.dsl.dynamic.surfer.at.
 [85.127.114.32]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4409d2a1dc3sm89565105e9.13.2025.04.26.05.22.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 26 Apr 2025 05:22:28 -0700 (PDT)
Message-ID: <a7826243c1c01f69bf9fe1942d5c08ef15a7159f.camel@HIDDEN>
Subject: Re: =?UTF-8?Q?=E2=80=98guix?= shell =?UTF-8?Q?-C=E2=80=99?=
 =?UTF-8?Q?_doesn=E2=80=99t?= work on Ubuntu 24.04
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
To: Marek =?UTF-8?Q?Fel=C5=A1=C3=B6ci?= <marek@HIDDEN>, 
 71226 <at> debbugs.gnu.org
Date: Sat, 26 Apr 2025 14:22:24 +0200
In-Reply-To: <2d2109c5-bebb-e11d-6b41-bbc22b2c863f@HIDDEN>
References: <2d2109c5-bebb-e11d-6b41-bbc22b2c863f@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.54.3 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Am Freitag, dem 28.03.2025 um 13:25 +0100 schrieb Marek Fel=C5=A1=C3=B6ci:
> Hello to all,
>=20
> I have got some news on the subject. Recently, I found this gist:=20
> https://gist.github.com/laanwj/cddb2ec7d18e71066d21e5ee993fe971
>=20
> It proposes an AppArmor profile for Guix together with some
> explanations.
>=20
> After adapting the path to the `guix` executable like so
>=20
> ```
> abi <abi/4.0>,
>=20
> include <tunables/global>
>=20
> profile guix /gnu/store/{*-guix-command,*/bin/guix}
> flags=3D(unconfined) {
> =C2=A0=C2=A0 userns,
> =C2=A0=C2=A0 # Site-specific additions and overrides. See local/README fo=
r
> details.
> =C2=A0=C2=A0 include if exists <local/guix>
> }
> ```
>=20
> and loading the profile into AppArmor, I am able to run `guix shell -
> C bash -- bash`. Possibly too permissive, the profile works though.
> It may at least provide a temporary solution for those, like me, for
> who the container  functionality is critical on daily basis.
For those who want to use the unprivileged guix daemon, one should also
include */bin/guix-daemon.

Cheers

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 28 Mar 2025 12:25:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 28 08:25:26 2025
Received: from localhost ([127.0.0.1]:53234 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ty8m6-0002P9-1K
	for submit <at> debbugs.gnu.org; Fri, 28 Mar 2025 08:25:26 -0400
Received: from m1-out-mua-3.websupport.sk ([45.13.137.12]:48906)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <marek@HIDDEN>) id 1ty8m0-0002Or-TS
 for 71226 <at> debbugs.gnu.org; Fri, 28 Mar 2025 08:25:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=felsoci.sk; s=mail;
 t=1743164718; bh=xsdzLCgIyNSzQ9j8V5mMeZnuSvcyBMRjUyR3gr81ECM=;
 h=To:Subject:From:Date:From;
 b=hdboVgoOQRS4kEn8KMns8Md2c/p8i24+/3Oc9zQys+WHjxdS3vbI2oDyCsXBEnkwV
 N93yG4ZpgBB3JAgjrZBmed/ikLYciX5CHMh80s8E/D0GemzCgmvlZ5HLmGbl2ubs2/
 pFCmbN1lDvI0Ix/omxLylkDHviuuM1p4f6aGbPtNysop72mFQDdvpKDxD9Kc1OKOXS
 ubpIF2diGOHhTT2E8W4UKFOzYGZGNtU/KkZwtB7WzQuQC8aTzqkPHy/PVD1/4VOT4R
 8Y1ybV1CAllMIfeTlUUQ8SnJEpcF2J1/CRDG0Qt/gnVJ53YqRVFHJZOULJ4ziux9CE
 Qp0CqDDQIjbLg==
Received: from m1-u9-ing.websupport.sk (unknown [10.30.9.2])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits))
 (No client certificate requested)
 by m1-out-mua-3.websupport.sk (Postfix) with ESMTPS id 4ZPKVQ6tmPz1tGd
 for <71226 <at> debbugs.gnu.org>; Fri, 28 Mar 2025 13:25:18 +0100 (CET)
X-Authenticated-Sender: marek@HIDDEN
Authentication-Results: m1-u9-ing.websupport.sk;
 auth=pass smtp.auth=marek@HIDDEN smtp.mailfrom=marek@HIDDEN
Received: from [132.227.83.165] (portable9810.calsci.lip6.fr [132.227.83.165])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: marek@HIDDEN)
 by m1-u9-ing.websupport.sk (Postfix) with ESMTPSA id 4ZPKVQ57QTz2PLd
 for <71226 <at> debbugs.gnu.org>; Fri, 28 Mar 2025 13:25:18 +0100 (CET)
To: 71226 <at> debbugs.gnu.org
Subject: =?UTF-8?B?4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2VzbuKAmXQgd29yayBvbiBVYnVu?=
 =?UTF-8?Q?tu_24.04?=
From: =?UTF-8?B?TWFyZWsgRmVsxaHDtmNp?= <marek@HIDDEN>
Message-ID: <2d2109c5-bebb-e11d-6b41-bbc22b2c863f@HIDDEN>
Date: Fri, 28 Mar 2025 13:25:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
 Firefox/128.0 SeaMonkey/2.53.20
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Out-Spamd-Result: default: False [-0.10 / 1000.00];
 MIME_GOOD(-0.10)[text/plain]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0];
 ASN(0.00)[asn:1307, ipnet:132.227.0.0/16, country:EU];
 ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_X_AS(0.00)[];
 TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_MIXED_CHARSET(0.00)[subject];
 MIME_TRACE(0.00)[0:+]
X-Out-Rspamd-Queue-Id: 4ZPKVQ57QTz2PLd
X-Rspamd-Action: no action
X-Out-Rspamd-Server: m1-rspamd-out-6
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello to all,

I have got some news on the subject. Recently, I found this gist: 
https://gist.github.com/laanwj/cddb2ec7d18e71066d21e5ee993fe971

It proposes an AppArmor profile for Guix together with some explanations.

After adapting the path to the `guix` executable like so

```
abi <abi/4.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(unconfined) {
   userns,
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/guix>
}
```

and loading the profile into AppArmor, I am able to run `guix shell -C bash -- 
bash`. Possibly too permissive, the profile works though. It may at least 
provide a temporary solution for those, like me, for who the container 
functionality is critical on daily basis.

Best regards,
Marek

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 5 Feb 2025 01:23:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 04 20:23:20 2025
Received: from localhost ([127.0.0.1]:47329 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tfU8N-0006Ls-NO
	for submit <at> debbugs.gnu.org; Tue, 04 Feb 2025 20:23:20 -0500
Received: from tiger.tulip.relay.mailchannels.net ([23.83.218.248]:25037)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <nomike@HIDDEN>) id 1tfU8K-0006Lf-IX
 for 71226 <at> debbugs.gnu.org; Tue, 04 Feb 2025 20:23:17 -0500
X-Sender-Id: dreamhost|x-authsender|nomike@HIDDEN
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 8576D4E3331
 for <71226 <at> debbugs.gnu.org>; Wed,  5 Feb 2025 01:23:14 +0000 (UTC)
Received: from pdx1-sub0-mail-a203.dreamhost.com
 (trex-8.trex.outbound.svc.cluster.local [100.127.152.220])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 2C0554E23F3
 for <71226 <at> debbugs.gnu.org>; Wed,  5 Feb 2025 01:23:13 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1738718593; a=rsa-sha256;
 cv=none;
 b=COWBx1Hg0NKQeh/v67WGSlP61F+sYbUEeOS+81REGVU7UMt3WpHeCpZxgXoBK60HoGeHeR
 QT4vrk4HQdba8PylK6VckVYc/ffZSMI6TK8P8dmoP003PK98mpk7xNcu0K5bxXaBgEevC4
 MyE+IOv7Oz7YpH9MJdxsM1uHMJgtC8KBwbWrYx113q6KqET3yAn6x7y2MYkdztRYl7np41
 C7kxgUU/ymGlsNRUKBt+alYxEcm/vCYySvljv3vmb8SieotGcGJPG+rt2iO6Y0VvhmLX4D
 V59E3kL0+wjm91DvaUrrGiS7F9ofi2E3fAnnNFMNDmkDDVTFzyFK4cbQKMICZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1738718593;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:dkim-signature;
 bh=Hno9nhFuE8YEdvjxDytsGd4Tt66h3MDHeCSyXlnreYc=;
 b=F2xxGwfE9FdWG+5YkmA9/Ora256Tqfosm50tmheV5Jhgidx/e3PqJxGIF8TIEz923ndcfz
 f/MF/P9R6vb7UKKkyOwjUiI1UqIwlu1NoDV/Pxeud/rTPixdJfmcbN2umLg+c45s+fQY0j
 fmarfrbNDmX9gY/qDS9JBC28u9U//ZNl5hHcDLQbvdr70wxz7YjyWEwRnamAYEW03A5mgk
 AsoZv1Q+iaiAm4RHOQ18IheDDqF9VqmTXSnw1SsbzPNiURbxkPNrtR8gmP6+f9zEkPjHr9
 yEBa54ik3TkAdevJA2d72T4eAXp6n8tqH4jcwvMzmmDfywWs9eqGtmTLo+lfcA==
ARC-Authentication-Results: i=1; rspamd-8586946c78-hgg86;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=nomike@HIDDEN
X-Sender-Id: dreamhost|x-authsender|nomike@HIDDEN
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nomike@HIDDEN
X-MailChannels-Auth-Id: dreamhost
X-Whimsical-Cure: 79f26fb742dee78e_1738718593454_3779825194
X-MC-Loop-Signature: 1738718593454:3652987354
X-MC-Ingress-Time: 1738718593454
Received: from pdx1-sub0-mail-a203.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.127.152.220 (trex/7.0.2); Wed, 05 Feb 2025 01:23:13 +0000
Received: from [10.31.0.156] (84-112-221-106.cable.dynamic.surfer.at
 [84.112.221.106])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: nomike@HIDDEN)
 by pdx1-sub0-mail-a203.dreamhost.com (Postfix) with ESMTPSA id 4YnjD01hrPz86
 for <71226 <at> debbugs.gnu.org>; Tue,  4 Feb 2025 17:23:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomike.com;
 s=dreamhost; t=1738718592;
 bh=Hno9nhFuE8YEdvjxDytsGd4Tt66h3MDHeCSyXlnreYc=;
 h=Date:To:Subject:From:Content-Type:Content-Transfer-Encoding;
 b=fsm85m7jI8gmaRPJb9HA/LyvNyJmscvpeQV18SdJ9RuuKO0saGhD2vmPfJzVDHRlZ
 wc55iM3ae90DQUUk/z4HTXCzodUbr62c3I6Gn3fYnuuaMXXaxUmllS2IyJlMOlmtcW
 4TnQpKHzqhLVc+e07VLJQ/RluQ08hGzbWI+J3hJPSA200mOPRee5mETc3X7T9xlgk1
 MneZzcLqVPbCRwD9cJRPz5+CV2o/swAwE9MUoxN8yI9Gczec7aWDRlqcGEcm04woes
 8XuqGAHm2zhb227dUkiNWlHhEUnSjyWfeIVCDwE8opg94Y2swgdflRcljl/o+CvFF5
 VYUY4dHbwpelw==
Message-ID: <6dcf82d7-4b9b-48ef-b8e5-6c2f002d2409@HIDDEN>
Date: Wed, 5 Feb 2025 02:23:08 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: 71226 <at> debbugs.gnu.org
Subject: =?UTF-8?B?4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2VzbuKAmXQgd29yayBvbiBVYnVu?=
 =?UTF-8?Q?tu_24=2E04?=
Content-Language: en-US
From: "nomike (they/them)" <nomike@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I've used the install.sh to install guix on my system (Ubuntu 24.10) and 
I'm facing the same issue.
My guix-home config lives in ~/guix-home, so I cd to that directory in a 
gnome-terminal and this happens:

```plaintext
$ guix home -L "${PWD}" container home-config.scm
guix home: error: mount: mount "none" on "/tmp/guix-directory.t82DOq": 
Permission
```
I first stumbled upon the [upstream bug on 
launchpad.net](https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115) 
and tried the proposed solutions there, but they did not work.
So after some more googling I found this ticket here. I added the 
proposed file to `/etc/apparmor.d/guix` and rebooted my machine.
Now this happens:

```plaintext
$ guix home -L "${PWD}" container home-config.scm
guix home: error: failed to load 'home-config.scm': Permission denied
```

So it seems like we're still missing something.

I'm new to guix and I have no clue about apparmor, so I'm a bit at a loss.

cheers

nomike

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 18 Jan 2025 17:03:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 18 12:03:53 2025
Received: from localhost ([127.0.0.1]:43561 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tZCEi-0001mz-JZ
	for submit <at> debbugs.gnu.org; Sat, 18 Jan 2025 12:03:53 -0500
Received: from mail-10697.protonmail.ch ([79.135.106.97]:63785)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <rdes@HIDDEN>) id 1tZ805-0005f2-7K
 for 71226 <at> debbugs.gnu.org; Sat, 18 Jan 2025 07:32:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
 s=protonmail; t=1737203542; x=1737462742;
 bh=BM2BFzLfHzyBbwhUTyKeWeNWMXBSoTJ1V/UUyoQ0Dow=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector:
 List-Unsubscribe:List-Unsubscribe-Post;
 b=PPVAo0Vm3ptt574GCD/TQvPznFXeVDSVjD1x+yOIjl9tD5WO84pruBX7e2WmaznZ5
 dmX7Ozovjsaw2DFr94g2M/yV5aY8BcJnSaK5VyeD68/k5EKPMkxdKPIVak17FmzUU6
 sxlmqvoAmID2L/o67HR670wudaR7x3UxAyc5g2B1eU5MC8aMhqjKoNhYORjDkl24yI
 9A4utZPNkI57JYkZ1t8mpRDNgiLpmFQoZdqNaK2V4TWWYRvVaHpekVX7ZWAudEe9sE
 XfyWOvQ1UkNfbD7SX6JJgLldEIrcV3UxzSx+E4i3ftzLQRFlm92y+ZB394Nxjb11fB
 Tw/1zxlS+hcgQ==
Date: Sat, 18 Jan 2025 12:32:15 +0000
To: "71226 <at> debbugs.gnu.org" <71226 <at> debbugs.gnu.org>
From: rdes <rdes@HIDDEN>
Subject: Link launchpad issue
Message-ID: <Gyr9FFJHatHYSt_ULdOFplz0ZXD07cEGDCkV2ANdG6wa0pt3nR4bg3zYO34U4V-U9vVyqXnHe60AyDNAbGCGOpE4cyBNr6GLswPCincPM8Q=@proton.me>
Feedback-ID: 49029299:user:proton
X-Pm-Message-ID: febb481fc08931a8311c11b09773ae05091baa69
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1=_p423FyPxF99mLnJZSSe5tOkjtgPoP36KNlxQrDNhDlQ"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-Mailman-Approved-At: Sat, 18 Jan 2025 12:03:50 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--b1=_p423FyPxF99mLnJZSSe5tOkjtgPoP36KNlxQrDNhDlQ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGVsbG8sCgpKdXN0IHdhbnRlZCB0byBsaW5rIHRoaXMgaXNzdWUgd2l0aCB3aGF0IGlzIGJlaW5n
IHRyYWNrZWQgb24gdWJ1bnR1J3MgbGF1bmNocGFkLgoKaHR0cHM6Ly9idWdzLmxhdW5jaHBhZC5u
ZXQvdWJ1bnR1Lytzb3VyY2UvZ3VpeC8rYnVnLzIwNjQxMTU=

--b1=_p423FyPxF99mLnJZSSe5tOkjtgPoP36KNlxQrDNhDlQ
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0
cHg7IGNvbG9yOiByZ2IoMCwgMCwgMCk7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwg
MjU1KTsiPkhlbGxvLDwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1z
ZXJpZjsgZm9udC1zaXplOiAxNHB4OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5kLWNv
bG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1p
bHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0cHg7IGNvbG9yOiByZ2IoMCwgMCwg
MCk7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPkp1c3Qgd2FudGVkIHRv
IGxpbmsgdGhpcyBpc3N1ZSB3aXRoIHdoYXQgaXMgYmVpbmcgdHJhY2tlZCBvbiB1YnVudHUncyBs
YXVuY2hwYWQuPGJyPjxicj48c3Bhbj48YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJub3JlZmVycmVy
IG5vZm9sbG93IG5vb3BlbmVyIiBocmVmPSJodHRwczovL2J1Z3MubGF1bmNocGFkLm5ldC91YnVu
dHUvK3NvdXJjZS9ndWl4LytidWcvMjA2NDExNSI+aHR0cHM6Ly9idWdzLmxhdW5jaHBhZC5uZXQv
dWJ1bnR1Lytzb3VyY2UvZ3VpeC8rYnVnLzIwNjQxMTU8L2E+PGJyPjwvc3Bhbj48L2Rpdj48ZGl2
IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsg
Y29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUp
OyI+PHNwYW4+PGJyPjwvc3Bhbj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWws
IHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsgY29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dy
b3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyI+PHNwYW4+PGJyPjwvc3Bhbj48L2Rpdj4N
Cg0K


--b1=_p423FyPxF99mLnJZSSe5tOkjtgPoP36KNlxQrDNhDlQ--

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 16 Jan 2025 08:20:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 16 03:20:12 2025
Received: from localhost ([127.0.0.1]:59910 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tYL6p-00018O-JK
	for submit <at> debbugs.gnu.org; Thu, 16 Jan 2025 03:20:12 -0500
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:30999)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1tYL6k-00017I-Fx
 for 71226 <at> debbugs.gnu.org; Thu, 16 Jan 2025 03:20:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
 h=from:to:cc:subject:in-reply-to:references:date:
 message-id:mime-version:content-transfer-encoding;
 bh=crXJXMGcVmN07bCDO9Xfo6A4X0htHzFXsq4KPfypZe0=;
 b=R1C2KdJTQaShHEPOSlG+Lw1gMCnhUbxt9Kb8RQc+mBxIwkbmvhHEQS+y
 nhX9G9ECj/mLKozFgjL+Vmv9w0BhpGF1YY1nqwFooFwcwCpVM4aC/zyTi
 7u6mpUH41qlav2657c1eu5E8AtdTrXtsv/y3XGQeeRf24wwNhVeZEwqQ6 0=;
Authentication-Results: mail3-relais-sop.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
 dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.13,208,1732575600"; d="scan'208";a="106485497"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
 by mail3-relais-sop.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2025 09:19:59 +0100
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: Ricardo Wurmus <rekado@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <87ed15kag4.fsf@HIDDEN> (Ricardo Wurmus's message of "Tue,
 14 Jan 2025 10:32:11 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
 <87h668oz3j.fsf@HIDDEN>
 <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN>
 <87ed1amxpy.fsf@HIDDEN>
 <674a32a4-5ba2-5832-1dca-437f53acc969@HIDDEN>
 <87ed15kag4.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Septidi 27 =?utf-8?Q?Niv=C3=B4se?= an 233 de la
 =?utf-8?Q?R=C3=A9volution=2C?= jour du Plomb
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 16 Jan 2025 09:19:58 +0100
Message-ID: <87a5br6uhd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
Cc: 71226 <at> debbugs.gnu.org,
 Marek =?utf-8?B?RmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ricardo Wurmus <rekado@HIDDEN> skribis:

> Marek Fel=C5=A1=C3=B6ci <marek.felsoci@HIDDEN> writes:
>
>> I get an access denied error on the ".guix/channels.scm" file which I
>> own and have access to.
>>
>> I tried to play around with the AppArmor profile, but with no
>> success. Are we still missing something?
>
> Do you see any relevant information in the AppArmor logs?

I actually have a similar error:

--8<---------------cut here---------------start------------->8---
$ guix time-machine -- shell -C hello
guix time-machine: error: failed to load '/builds/.config/guix/channels.scm=
': Permission denied
$ sudo dmesg | tail -4
[489967.069070] audit: type=3D1400 audit(1737015245.640:166): apparmor=3D"D=
ENIED" operation=3D"open" class=3D"file" profile=3D"guix-shell" name=3D"/bu=
ilds/.config/guix/channels.scm" pid=3D16585 comm=3D"guix" requested_mask=3D=
"r" denied_mask=3D"r" fsuid=3D1000 ouid=3D1000
[489967.069236] audit: type=3D1400 audit(1737015245.640:167): apparmor=3D"D=
ENIED" operation=3D"open" class=3D"file" profile=3D"guix-shell" name=3D"/bu=
ilds/.config/guix/channels.scm" pid=3D16585 comm=3D"guix" requested_mask=3D=
"r" denied_mask=3D"r" fsuid=3D1000 ouid=3D1000
[490011.443246] audit: type=3D1400 audit(1737015290.015:168): apparmor=3D"D=
ENIED" operation=3D"open" class=3D"file" profile=3D"guix-shell" name=3D"/bu=
ilds/.config/guix/channels.scm" pid=3D16597 comm=3D"guix" requested_mask=3D=
"r" denied_mask=3D"r" fsuid=3D1000 ouid=3D1000
[490011.443371] audit: type=3D1400 audit(1737015290.015:169): apparmor=3D"D=
ENIED" operation=3D"open" class=3D"file" profile=3D"guix-shell" name=3D"/bu=
ilds/.config/guix/channels.scm" pid=3D16597 comm=3D"guix" requested_mask=3D=
"r" denied_mask=3D"r" fsuid=3D1000 ouid=3D1000
$ ls -l /builds/.config/guix/channels.scm
-rw-rw-r-- 1 ci ci 147 Dec 27 11:28 /builds/.config/guix/channels.scm
$ id
uid=3D1000(ci) gid=3D1000(ci) groups=3D1000(ci)
--8<---------------cut here---------------end--------------->8---

I think the problem we have is that the AppArmor profile now applies to
all =E2=80=98guix=E2=80=99 invocations but it doesn=E2=80=99t specify that =
=E2=80=98guix=E2=80=99 can access
user-owned files.  I guess I did something wrong because that means that
this profile is in fact more restrictive than the default one.

Is there a way to say we want to inherit the default profile and only
relax it?

Ludo=E2=80=99.

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 14 Jan 2025 09:32:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 14 04:32:40 2025
Received: from localhost ([127.0.0.1]:53922 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tXdHr-0006A9-N8
	for submit <at> debbugs.gnu.org; Tue, 14 Jan 2025 04:32:39 -0500
Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21112)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <rekado@HIDDEN>)
 id 1tXdHp-0006A0-GQ
 for 71226 <at> debbugs.gnu.org; Tue, 14 Jan 2025 04:32:38 -0500
ARC-Seal: i=1; a=rsa-sha256; t=1736847138; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=Fot659Bw8rgTk6k6MU8rAQ4u4GIJw91vJeOV3FCTG3R2X9i7BvCdfFYtLU1yV95rvagknIJpCdQeISiAKP4NSrksnC6sQ4cWGm1A/GXh3P9NqgPUR3PfT9JBiWOS8vD6iWKMZ2QXdvsKojC6Jg8Wgy5f+JbAk8IExX1hNJ3SNI0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1736847138;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=TyEYpH0baSnvqaY/1rQd6zZk85A4WRbvXVp627E2wlk=; 
 b=IF7CMG2LMlC9KKRjG/+wJrqFho4oEFEqU8sWHGV2JZWSyw6oy+PJ/7kxCgd+l6ewvSgi0V9RJtoPxyPcIUzk5pQyl3i7CtE/Ms3boglNUinJNDBLYlULUf6xc1aoo3JEtzVCcG7cdRJEWrKEACHIdZm/YAM11NtHOSu6MmjQfSM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@HIDDEN;
 dmarc=pass header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1736847138; 
 s=zoho; d=elephly.net; i=rekado@HIDDEN;
 h=From:From:To:To:Cc:Cc:Subject:Subject:In-Reply-To:References:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=TyEYpH0baSnvqaY/1rQd6zZk85A4WRbvXVp627E2wlk=;
 b=jA/WC0VL2s4oUMkU73e+x4xkQl4rmvzwnFyl/QY9nFweDScUw4ToXKQtnPF+8j2C
 Q4D64DZaC7wEb4bj3NxAAfM5HZJ6rxyqGTeKizYqmd0x9OJK71fcZilzON2RPc/OcsR
 kCa+ZM+fnLpQSM+lYaeTnNuOl8nfTCwFSFKipb2U=
Received: by mx.zohomail.com with SMTPS id 1736847136861743.2374934569644;
 Tue, 14 Jan 2025 01:32:16 -0800 (PST)
From: Ricardo Wurmus <rekado@HIDDEN>
To: Marek =?utf-8?B?RmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <674a32a4-5ba2-5832-1dca-437f53acc969@HIDDEN> ("Marek
 =?utf-8?B?RmVsxaHDtmNpIidz?=
 message of "Mon, 13 Jan 2025 17:12:40 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> <87h668oz3j.fsf@HIDDEN>
 <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN> <87ed1amxpy.fsf@HIDDEN>
 <674a32a4-5ba2-5832-1dca-437f53acc969@HIDDEN>
User-Agent: mu4e 1.12.7; emacs 29.4
Date: Tue, 14 Jan 2025 10:32:11 +0100
Message-ID: <87ed15kag4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
Cc: 71226 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Marek Fel=C5=A1=C3=B6ci <marek.felsoci@HIDDEN> writes:

> I get an access denied error on the ".guix/channels.scm" file which I
> own and have access to.
>
> I tried to play around with the AppArmor profile, but with no
> success. Are we still missing something?

Do you see any relevant information in the AppArmor logs?

I'm not familiar with AppArmor, but in SELinux there's the concept of
type transitions.  "guix time-machine" builds a directory and then
executes "bin/guix" from that store location.  In SELinux you would need
to explicitly allow for that transition, so that
$HOME/.config/current/bin/guix can preserve its type when executing the
independent /gnu/store/.../bin/guix.

(Looking at our SELinux policy it seems to me that we're missing a type
transition for this case, so I would assume that "guix time-machine"
also doesn't work on a system where SELinux is enforcing policies.)

--=20
Ricardo

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 13 Jan 2025 16:12:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 13 11:12:47 2025
Received: from localhost ([127.0.0.1]:52586 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tXN3X-0003I0-A9
	for submit <at> debbugs.gnu.org; Mon, 13 Jan 2025 11:12:47 -0500
Received: from osiris.lip6.fr ([2001:660:3302:283c::1e]:62580)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <marek.felsoci@HIDDEN>)
 id 1tXN3V-0003Hp-LW
 for 71226 <at> debbugs.gnu.org; Mon, 13 Jan 2025 11:12:46 -0500
Received: from poleia.lip6.fr (poleia.lip6.fr [132.227.201.8])
 by osiris.lip6.fr (8.18.1/8.16.1) with ESMTP id 50DGCfWa003831;
 Mon, 13 Jan 2025 17:12:41 +0100 (CET)
Received: from [132.227.83.165] (portable9810.calsci.lip6.fr [132.227.83.165])
 by poleia.lip6.fr (Postfix) with ESMTPSA id 4048832AE68;
 Mon, 13 Jan 2025 17:12:41 +0100 (CET)
Subject: =?UTF-8?B?UmU6IGJ1ZyM3MTIyNjog4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2Vzbg==?=
 =?UTF-8?Q?=e2=80=99t_work_on_Ubuntu_24.04?=
To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@HIDDEN>
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> <87h668oz3j.fsf@HIDDEN>
 <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN> <87ed1amxpy.fsf@HIDDEN>
From: =?UTF-8?B?TWFyZWsgRmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Message-ID: <674a32a4-5ba2-5832-1dca-437f53acc969@HIDDEN>
Date: Mon, 13 Jan 2025 17:12:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.19
MIME-Version: 1.0
In-Reply-To: <87ed1amxpy.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
 (osiris.lip6.fr [132.227.60.30]); Mon, 13 Jan 2025 17:12:42 +0100 (CET)
X-Scanned-By: MIMEDefang 3.4.1 on 132.227.60.30
X-Spam-Score: -4.2 (----)
X-Debbugs-Envelope-To: 71226
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.2 (-----)

Hello!

Thank you for taking time with this issue.

After loading the AppArmor profile from your message, I am able to execute “guix 
shell -C hello”.

However, when trying to combine the "shell" command with the "time-machine" 
command, like so:

"guix time-machine --channels=.guix/channels.scm -- shell -C hello"

I get an access denied error on the ".guix/channels.scm" file which I own and 
have access to.

I tried to play around with the AppArmor profile, but with no success. Are we 
still missing something?

Best,
Marek

Ludovic Courtès napísal(a) dňa 10. 1. 2025 o 17:37:
> Hello!
>
> I believe the attached AppArmor profile should work.  You need to:
>
>    1. Drop it in /etc/apparmor.d/guix (it’s actually not specific to
>       ‘guix shell -C’ since it matches any ‘guix’ command!).
>
>    2. Run “apparmor_parser -rv /etc/apparmor.d/guix”.
>
> And then you can check “guix build whatever” and “guix shell -C hello”.
>
> Note that AppArmor is stateful: it memorizes previous rules (“profiles”)
> and it’s not entirely clear how to remove them, especially when there’s
> no profile name.
>
> So perhaps you’ll want to reboot if in doubt.
>
> Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
> well.
>
> If you can confirm, we can add it to the repo and have ‘guix-install.sh’
> install it.
>
> Ludo’.
>
>
> guix.apparmor
>
> abi <abi/3.0>,
>
> include <tunables/global>
>
> profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
>    include <abstractions/base>
>    include <abstractions/consoles>
>    include <abstractions/nameservice>
>
>    capability net_admin, # for "guix shell -CN"
>    capability sys_admin, # for clone
>    capability sys_ptrace, # for user namespaces
>
>    # Allow preparing file systems inside the container root
>    mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
>    mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
>    mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
>    mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
>    mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
>    mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
>    mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
>    mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
>    mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
>    mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
>    mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
>    mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
>    umount /real-root/,
>
>    pivot_root,
>
>    # 'guix substitute' is responsible for deduplicating files that it downloads
>    # so it needs to be able to create links in /gnu/store/.links.
>    link /gnu/store/.links/** -> /gnu/store/**,
>
>    # Note: This also needs to provide permissions for 'guix substitute',
>    # which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.
>
>    /etc/nsswitch.conf r,
>    /etc/passwd r,
>    /gnu/store/** r,
>    /gnu/store/**/** r,
>    /gnu/store/*-guix-*/etc/ld.so.cache r,
>    /gnu/store/*-guix-*/libexec/guix/guile ix,
>    /gnu/store/*/bin/* mrix,
>    /gnu/store/*/lib/**.so** mr,
>    /gnu/store/*/lib/lib*.so* mr,
>    /gnu/store/*/libexec/** ix,
>    /gnu/store/*/sbin/* mrix,
>    /tmp/ rw,
>    /tmp/guix-directory** rw,
>    /var/guix/** r,
>    /var/guix/daemon-socket/socket rw,
>    @{PROC}/*/ns/net rw,
>    @{PROC}/*/ns/user rw,
>    @{PROC}/@{pid}/** rw,
>    @{PROC}/self/ rw,
>    @{PROC}/self/** rw,
>    @{PROC}/sys/kernel/unprivileged_userns_clone rw,
>
>    # These are permissions inside the container after pivot root
>    owner / w,
>    owner /bin/ w,
>    owner /bin/sh w,
>    owner /etc/ w,
>    owner /etc/group w,
>    owner /etc/group.* r,
>    owner /etc/group.* w,
>    owner /etc/hosts w,
>    owner /etc/passwd rw,
>    owner /etc/passwd.* r,
>    owner /etc/passwd.* w,
>    
>    owner /home/*/* ra,
>    owner /home/*/.cache/guix/profiles/ r,
>    owner /home/*/.cache/guix/profiles/* w,
>    owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
>    owner /real-root/ w,
>
>    allow userns,
>
> }

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 10 Jan 2025 16:37:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 10 11:37:41 2025
Received: from localhost ([127.0.0.1]:58536 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tWI0z-0003Mk-3S
	for submit <at> debbugs.gnu.org; Fri, 10 Jan 2025 11:37:41 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42502)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tWI0x-0003MX-KS
 for 71226 <at> debbugs.gnu.org; Fri, 10 Jan 2025 11:37:40 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1tWI0r-00010Y-8e; Fri, 10 Jan 2025 11:37:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=aSidXpw2YfdMlX6UjlWyBteOIzHIY30/WJtJ1i9ns9c=; b=qtL67mk8PPTimolOiI80
 E4eSzxh+tGSPOcQBYBpvanfrKIE107uvOEExjXKJu/jttbYOXzdayoGcpLNN2ykdvlMXAjj+81HFV
 DleS6l2pMxgTJ2Ng0dj7fXFdVwmc5Hm/WphjCEogy/cps8m8+HUiJQ9oe5dkLEXVbp+Oms7bdnOTH
 TAj/p6q0BRbfRiIB95u10fuUldyXEBqSa/KevXgb1KB3WdiAaxu2Rd5wG7+B/n2OVF1TG+hCpsV9N
 HdTsXb5BvU2nBlCZ3WvJO+h3BfNxa575WDNKIVcJqLu6tWk1/VbwdAzoGITklV7aOUmw4k2dY0rER
 Ix5uuz4IRFN6eg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Marek =?utf-8?B?RmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN> ("Marek
 =?utf-8?B?RmVsxaHDtmNpIidz?=
 message of "Thu, 9 Jan 2025 23:08:24 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
 <87h668oz3j.fsf@HIDDEN>
 <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN>
Date: Fri, 10 Jan 2025 17:37:29 +0100
Message-ID: <87ed1amxpy.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

I believe the attached AppArmor profile should work.  You need to:

  1. Drop it in /etc/apparmor.d/guix (it=E2=80=99s actually not specific to
     =E2=80=98guix shell -C=E2=80=99 since it matches any =E2=80=98guix=E2=
=80=99 command!).

  2. Run =E2=80=9Capparmor_parser -rv /etc/apparmor.d/guix=E2=80=9D.

And then you can check =E2=80=9Cguix build whatever=E2=80=9D and =E2=80=9Cg=
uix shell -C hello=E2=80=9D.

Note that AppArmor is stateful: it memorizes previous rules (=E2=80=9Cprofi=
les=E2=80=9D)
and it=E2=80=99s not entirely clear how to remove them, especially when the=
re=E2=80=99s
no profile name.

So perhaps you=E2=80=99ll want to reboot if in doubt.

Anyway, I tested it in an Ubuntu 24.04 VM and everything seemed to work
well.

If you can confirm, we can add it to the repo and have =E2=80=98guix-instal=
l.sh=E2=80=99
install it.

Ludo=E2=80=99.


--=-=-=
Content-Type: text/plain
Content-Disposition: inline; filename=guix.apparmor

abi <abi/3.0>,

include <tunables/global>

profile guix /gnu/store/{*-guix-command,*/bin/guix} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  # 'guix substitute' is responsible for deduplicating files that it downloads
  # so it needs to be able to create links in /gnu/store/.links.
  link /gnu/store/.links/** -> /gnu/store/**,

  # Note: This also needs to provide permissions for 'guix substitute',
  # which accesses /etc/guix/acl, /var/guix, /gnu/store/.links, etc.

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}

--=-=-=--

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 9 Jan 2025 22:08:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 09 17:08:35 2025
Received: from localhost ([127.0.0.1]:54788 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tW0he-0000FJ-Pd
	for submit <at> debbugs.gnu.org; Thu, 09 Jan 2025 17:08:35 -0500
Received: from osiris.lip6.fr ([2001:660:3302:283c::1e]:61722)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <marek.felsoci@HIDDEN>)
 id 1tW0hc-0000F3-JY
 for 71226 <at> debbugs.gnu.org; Thu, 09 Jan 2025 17:08:33 -0500
Received: from poleia.lip6.fr (poleia.lip6.fr [132.227.201.8])
 by osiris.lip6.fr (8.18.1/8.16.1) with ESMTP id 509M8S5G010157;
 Thu, 9 Jan 2025 23:08:28 +0100 (CET)
Received: from [10.30.216.145] (unknown [193.52.24.28])
 by poleia.lip6.fr (Postfix) with ESMTPSA id 21C9E32AE60;
 Thu,  9 Jan 2025 23:08:28 +0100 (CET)
Subject: =?UTF-8?B?UmU6IGJ1ZyM3MTIyNjog4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2Vzbg==?=
 =?UTF-8?Q?=e2=80=99t_work_on_Ubuntu_24.04?=
To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludovic.courtes@HIDDEN>
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> <87h668oz3j.fsf@HIDDEN>
From: =?UTF-8?B?TWFyZWsgRmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Message-ID: <f604780d-bdcf-509c-9f3b-687f8ba0c655@HIDDEN>
Date: Thu, 9 Jan 2025 23:08:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.19
MIME-Version: 1.0
In-Reply-To: <87h668oz3j.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
 (osiris.lip6.fr [132.227.60.30]); Thu, 09 Jan 2025 23:08:29 +0100 (CET)
X-Scanned-By: MIMEDefang 3.4.1 on 132.227.60.30
X-Spam-Score: -4.6 (----)
X-Debbugs-Envelope-To: 71226
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.6 (-----)

Hi Ludovic!

I ran the following Guix command

```
guix shell -C bash -- bash
```
and got these two entries in `dmesg` log.

```
[46999.292835] audit: type=1400 audit(1736460233.024:325): apparmor="AUDIT" 
operation="userns_create" class="namespace" info="Userns create - transitioning 
profile" profile="unconfined" pid=190176 comm="guix" requested="userns_create" 
target="unprivileged_userns"
[46999.297993] audit: type=1400 audit(1736460233.029:326): apparmor="DENIED" 
operation="mount" class="mount" info="failed mntpnt match" error=-13 
profile="unprivileged_userns" name="/tmp/guix-directory.BpSImx/" pid=190193 
comm="guix" fstype="tmpfs" srcname="none"
```
Is it of any help? Is there something else I should have a look at?

Thanks,
Marek.

Ludovic Courtès napísal(a) dňa 9. 1. 2025 o 15:12:
> Hi Marek!
>
> Marek Felšöci <marek.felsoci@HIDDEN> skribis:
>
>> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
>> from apt repositories.
>>
>> I followed the steps from the Ricardo's reply, but the problem
>> persists with the same error:
>>
>> ```
>> guix shell: chyba: mount: mount "none" on
>> "/tmp/guix-directory.DFemEr": Prístup odmietnutý
>> ```
>>
>> Note that in the above message 'Prístup odmietnutý' means 'Access denied'.
>>
>> Have there been any new developments regarding this issue?
> No!  I guess Ricardo was on the right track but this probably needs more
> testing and polishing.
>
> Is there additional info you can get by running “dmesg” or something
> like that?
>
> Thanks,
> Ludo’.

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 9 Jan 2025 14:12:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 09 09:12:44 2025
Received: from localhost ([127.0.0.1]:51237 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tVtH9-0001gl-Tq
	for submit <at> debbugs.gnu.org; Thu, 09 Jan 2025 09:12:44 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:36051)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1tVtH5-0001gO-OV
 for 71226 <at> debbugs.gnu.org; Thu, 09 Jan 2025 09:12:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
 h=from:to:cc:subject:in-reply-to:references:date:
 message-id:mime-version:content-transfer-encoding;
 bh=2dUdr7Bb8WmVQHG51rcXO6iSxjDNVF9h5k1udcEK02M=;
 b=C8DOS5cap9VfYWIyDIw4OMTsksylLduuTxpNV5VrwyMP2n3K9v1Dogkv
 sEQQAlsHrV+Y3FhSzc/s0zqMmCjO1R7GXYwZYTL/FkqHFLzm90NIlKkwz
 m+E+uUsxILvwUQwng4iNYk3FG14r+NCoBw+ltCP3Cfdxg9Pw5LLP5khLx 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
 dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.12,301,1728943200"; d="scan'208";a="202280316"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
 by mail2-relais-roc.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jan 2025 15:12:33 +0100
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: Marek =?utf-8?B?RmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN> ("Marek
 =?utf-8?B?RmVsxaHDtmNpIidz?=
 message of "Thu, 19 Dec 2024 17:26:54 +0100")
References: <87wmnfxq2c.fsf@HIDDEN>
 <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
Date: Thu, 09 Jan 2025 15:12:32 +0100
Message-ID: <87h668oz3j.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
Cc: Ricardo Wurmus <rekado@HIDDEN>, 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Marek!

Marek Fel=C5=A1=C3=B6ci <marek.felsoci@HIDDEN> skribis:

> I confirm the issue on my Ubuntu 24.04 installation with Guix coming
> from apt repositories.
>
> I followed the steps from the Ricardo's reply, but the problem
> persists with the same error:
>
> ```
> guix shell: chyba: mount: mount "none" on
> "/tmp/guix-directory.DFemEr": Pr=C3=ADstup odmietnut=C3=BD
> ```
>
> Note that in the above message 'Pr=C3=ADstup odmietnut=C3=BD' means 'Acce=
ss denied'.
>
> Have there been any new developments regarding this issue?

No!  I guess Ricardo was on the right track but this probably needs more
testing and polishing.

Is there additional info you can get by running =E2=80=9Cdmesg=E2=80=9D or =
something
like that?

Thanks,
Ludo=E2=80=99.

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 20 Dec 2024 04:46:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 19 23:46:11 2024
Received: from localhost ([127.0.0.1]:41213 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tOUtu-0000pj-C2
	for submit <at> debbugs.gnu.org; Thu, 19 Dec 2024 23:46:10 -0500
Received: from osiris.lip6.fr ([132.227.60.30]:53209)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <marek.felsoci@HIDDEN>) id 1tOJN1-00008Z-CA
 for 71226 <at> debbugs.gnu.org; Thu, 19 Dec 2024 11:27:28 -0500
Received: from poleia.lip6.fr (poleia.lip6.fr [132.227.201.8])
 by osiris.lip6.fr (8.16.1/8.16.1) with ESMTP id 4BJGQuk4002785
 for <71226 <at> debbugs.gnu.org>; Thu, 19 Dec 2024 17:26:56 +0100 (CET)
Received: from [132.227.80.165] (portable9810.wifi.calsci.lip6.fr
 [132.227.80.165])
 by poleia.lip6.fr (Postfix) with ESMTPSA id 1B40D32AE51
 for <71226 <at> debbugs.gnu.org>; Thu, 19 Dec 2024 17:26:56 +0100 (CET)
To: 71226 <at> debbugs.gnu.org
From: =?UTF-8?B?TWFyZWsgRmVsxaHDtmNp?= <marek.felsoci@HIDDEN>
Subject: =?UTF-8?B?UmU6IGJ1ZyM3MTIyNjog4oCYZ3VpeCBzaGVsbCAtQ+KAmSBkb2Vzbg==?=
 =?UTF-8?Q?=e2=80=99t_work_on_Ubuntu_24.04?=
Message-ID: <0cf84df5-5771-aa9f-2a3e-e8bef6ad7b0f@HIDDEN>
Date: Thu, 19 Dec 2024 17:26:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.19
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4
 (osiris.lip6.fr [132.227.60.30]); Thu, 19 Dec 2024 17:26:56 +0100 (CET)
X-Scanned-By: MIMEDefang 3.4.1 on 132.227.60.30
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
X-Mailman-Approved-At: Thu, 19 Dec 2024 23:46:08 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello to all,

I confirm the issue on my Ubuntu 24.04 installation with Guix coming from apt 
repositories.

I followed the steps from the Ricardo's reply, but the problem persists with the 
same error:

```
guix shell: chyba: mount: mount "none" on "/tmp/guix-directory.DFemEr": Prístup 
odmietnutý
```

Note that in the above message 'Prístup odmietnutý' means 'Access denied'.

Have there been any new developments regarding this issue?

PS: My current Guix generation is based on the commit c3290ce of the official 
Guix channel.

Thank you very much!

Best regards,
Marek

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 15 Oct 2024 12:08:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 08:08:17 2024
Received: from localhost ([127.0.0.1]:54356 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1t0gLZ-0007QX-Hb
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:08:17 -0400
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:3965)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludovic.courtes@HIDDEN>) id 1t0gLW-0007QH-TH
 for 71226 <at> debbugs.gnu.org; Tue, 15 Oct 2024 08:08:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
 h=from:to:cc:subject:in-reply-to:references:date:
 message-id:mime-version:content-transfer-encoding;
 bh=kbAtMvlNnESVF3/TUIwRqfE4lFv2w/T1widswNoN/zg=;
 b=naAp7JBrcwZiS+Z40uv4Gy24olKljZd0FtyRatbLtkh/3qylI4xjDhgJ
 h15Q82XPP9WevOYGXFAdAW/76mpsyfLDhWi2oE1nTQ9CdeK7uOJem/QFT
 RUfTJuoOaL8/QdxPl1NwgcRWdbp4vXrb+VEFsptd0HdLvQePMYDD5K6qI 4=;
Authentication-Results: mail2-relais-roc.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
 dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.11,205,1725314400"; d="scan'208";a="188928221"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
 by mail2-relais-roc.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Oct 2024 14:07:51 +0200
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: Ricardo Wurmus <rekado@HIDDEN>
Subject: Re: bug#71226: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkg?=
 =?utf-8?B?ZG9lc27igJl0?= work on Ubuntu 24.04
In-Reply-To: <87plrttiia.fsf@HIDDEN> (Ricardo Wurmus's message of "Thu,
 04 Jul 2024 15:05:17 +0200")
References: <87wmnfxq2c.fsf@HIDDEN> <87plrttiia.fsf@HIDDEN>
Date: Tue, 15 Oct 2024 14:07:50 +0200
Message-ID: <87sesxzi09.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71226
Cc: 71226 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Ricardo and all,

Ricardo Wurmus <rekado@HIDDEN> skribis:

> On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
> following contents:

[...]

> I then loaded the profile with "sudo apparmor_parser -qr
> /etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
> shell -CN hello" worked fine.

This issue is informally reported quite frequently these days.

Can someone on Ubuntu having this problem confirm that it works for
them?

And then, bonus points if you can create a patch against Guix that (1)
adds the file above under etc/ in the source tree, and (2) changes
=E2=80=98etc/guix-install.sh=E2=80=99 to perform the above setup step on Ap=
parmor
distros, similar to how SELinux is handled.

That=E2=80=99d be a much appreciated contribution!

Thanks,
Ludo=E2=80=99.

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 4 Jul 2024 13:05:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jul 04 09:05:40 2024
Received: from localhost ([127.0.0.1]:41775 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sPM9c-0000TF-2f
	for submit <at> debbugs.gnu.org; Thu, 04 Jul 2024 09:05:40 -0400
Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21162)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@HIDDEN>) id 1sPM9Z-0000T5-VP
 for 71226 <at> debbugs.gnu.org; Thu, 04 Jul 2024 09:05:38 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1720098323; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=fmHsHsLmM5U12hb7CFfTehhGXzbWwNBFDUGcTqXU9TF/AvHWEwe7TEiA5TsqKoOhJuSgb5j22Jslgx2ZHwp5BuEowxe/50gYSQcoXzfTtw5x/Tb48bh9FJJT5nux9QyPJMxcBprDM5jSMXN5VwMO/m7FT4FrnMJdUh+ucvRV24w=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1720098323;
 h=Content-Type:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=; 
 b=Hqqg2Ks9SXgOnSrmhM5D6AEGwM/I/mFSpLFiGJJCypNVONHAyl9O624rPRBm7gNHMOjz8f2GqVCk1zlghDmmpIvk/YGNPWILPhY/DIAMhC0cWpSgu8/rxgQ+kawt15dRTLnnLPwuX2Pujo89Lh/VGybW5+jw/TQFEWno4MTHFmk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@HIDDEN;
 dmarc=pass header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1720098323; 
 s=zoho; d=elephly.net; i=rekado@HIDDEN;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To;
 bh=SUUESQdJnLYgWWjHkGckCLEdyPyJ9CcG0DzZ35H86E8=;
 b=T0GkCRv88Rz5rbMmqM2Ugewzi3Ksr9HRMk9GuCx8Wr0kFJCApJoc9YIcD2BiElSJ
 8Q2FcuNkIXfB/jxZvVz7LA9Df0Ak9QtFOEI9nrhsAZx901m6tFt4CoLOTSdm4UzIbL3
 9Lj4x9kLuBWBL3uCnJWroqcibVy54+qOdlqV1LxM=
Received: by mx.zohomail.com with SMTPS id 1720098321702143.2912667156312;
 Thu, 4 Jul 2024 06:05:21 -0700 (PDT)
From: Ricardo Wurmus <rekado@HIDDEN>
To: 71226 <at> debbugs.gnu.org
Subject: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkgZG9lc27igJl0?=
 work on Ubuntu 24.04
Date: Thu, 04 Jul 2024 15:05:17 +0200
Message-ID: <87plrttiia.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
Cc: ludo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On Ubuntu 24.04 I created /etc/apparmor.d/guix-shell-container with the
following contents:

--8<---------------cut here---------------start------------->8---
abi <abi/3.0>,

include <tunables/global>

/gnu/store/*-guix-*/bin/guix flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>

  capability net_admin, # for "guix shell -CN"
  capability sys_admin, # for clone
  capability sys_ptrace, # for user namespaces

  # Allow preparing file systems inside the container root
  mount fstype=(devpts) none -> /tmp/guix-directory.*/dev/pts/,
  mount fstype=(mqueue) options=(nodev, noexec, nosuid, rw) mqueue -> /tmp/guix-directory.*/dev/mqueue/,
  mount fstype=(proc) options=(nodev, noexec, nosuid, rw) none -> /tmp/guix-directory.*/proc/,
  mount fstype=(sysfs) options=(nodev, noexec, nosuid, ro) none -> /tmp/guix-directory.*/sys/,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/**,
  mount fstype=(tmpfs) none -> /tmp/guix-directory.*/,
  mount fstype=(tmpfs) options=(nodev, noexec, nosuid, rw) tmpfs -> /tmp/guix-directory.*/dev/shm/,
  mount fstype=(tmpfs) options=(noexec, rw, strictatime) none -> /tmp/guix-directory.*/dev/,
  mount options=(bind, rw) /** -> /tmp/guix-directory.*/**,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**/,
  mount options=(rbind, relatime, remount, ro) -> /tmp/guix-directory.*/**,
  mount options=(rbind, rw) /** -> /tmp/guix-directory.*/**,
  umount /real-root/,

  pivot_root,

  /etc/nsswitch.conf r,
  /etc/passwd r,
  /gnu/store/** r,
  /gnu/store/**/** r,
  /gnu/store/*-guix-*/etc/ld.so.cache r,
  /gnu/store/*-guix-*/libexec/guix/guile ix,
  /gnu/store/*/bin/* mrix,
  /gnu/store/*/lib/**.so** mr,
  /gnu/store/*/lib/lib*.so* mr,
  /gnu/store/*/libexec/** ix,
  /gnu/store/*/sbin/* mrix,
  /tmp/ rw,
  /tmp/guix-directory** rw,
  /var/guix/** r,
  /var/guix/daemon-socket/socket rw,
  @{PROC}/*/ns/net rw,
  @{PROC}/*/ns/user rw,
  @{PROC}/@{pid}/** rw,
  @{PROC}/self/ rw,
  @{PROC}/self/** rw,
  @{PROC}/sys/kernel/unprivileged_userns_clone rw,

  # These are permissions inside the container after pivot root
  owner / w,
  owner /bin/ w,
  owner /bin/sh w,
  owner /etc/ w,
  owner /etc/group w,
  owner /etc/group.* r,
  owner /etc/group.* w,
  owner /etc/hosts w,
  owner /etc/passwd rw,
  owner /etc/passwd.* r,
  owner /etc/passwd.* w,
  
  owner /home/*/* ra,
  owner /home/*/.cache/guix/profiles/ r,
  owner /home/*/.cache/guix/profiles/* w,
  owner /home/*/.cache/guix/profiles/last-expiry-cleanup r,
  owner /real-root/ w,

  allow userns,

}
--8<---------------cut here---------------end--------------->8---

I then loaded the profile with "sudo apparmor_parser -qr
/etc/apparmor.d/guix-shell-container".  "guix shell -C hello" and "guix
shell -CN hello" worked fine.

To refine this policy I used the following process:

1. run "sudo aa-genprof guix" in one terminal
2. run "guix shell -CN hello" in another
3. update /etc/apparmor.d/guix-shell-container as needed (often
replacing temporary directory names with glob patterns)
4. repeat

We may want to create a template file in which we replace all instances
of /gnu/store and /var/guix with their respective configured values and
install the file in the same manner as we do etc/guix-daemon.cil.

I wonder if we need to provide something similar for SELinux where we
only have the guix-daemon policy.

-- 
Ricardo

Message received at 71226 <at> debbugs.gnu.org:

Received: (at 71226) by debbugs.gnu.org; 30 May 2024 15:13:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 30 11:13:55 2024
Received: from localhost ([127.0.0.1]:41768 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sChTW-0002RT-J4
	for submit <at> debbugs.gnu.org; Thu, 30 May 2024 11:13:55 -0400
Received: from mail-40131.protonmail.ch ([185.70.40.131]:57859)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <laanwj@HIDDEN>) id 1sCgFV-0004Z6-Id
 for 71226 <at> debbugs.gnu.org; Thu, 30 May 2024 09:55:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1717077304; x=1717336504;
 bh=nS0PnhqsvgFHq8bp62NbWvm3I/+rxLfJd4Y6cJbIV0s=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=SpDZtbatNhVXjKbrmWuJ1UL3uG71vKk2l71N3tdIeFEA25ICWvfVeB/nwv2cuqLTh
 Oveh6zqya9CG4cBgLMGnPv6BPDTwYbugNIIxHrLA4qj9EbO1aK2v0ZZ9ZRZ3y1txu6
 ZkaAkbXpvUCjF2Z9PNR7UqoSJOk+Xsi5gVW2GZqV9sJLBXEs19bYvuw4gvrQB/9x5M
 5VwFx6BD3HBzBaQI9yVy6VSUPyFqMMSEP5ZDObLTzDHS3yA10NC2B1d0ETjIXGR24c
 4LFj2Y1UoCV6cXXeLEkCsADALz08CJ5nHs0s6QsTt6fv+Zy7OMuyj1fipMIhiLyGzf
 dtM0pHJXhGqXA==
Date: Thu, 30 May 2024 13:55:00 +0000
To: "71226 <at> debbugs.gnu.org" <71226 <at> debbugs.gnu.org>
From: "W. J. van der Laan" <laanwj@HIDDEN>
Subject: Upstream ubuntu issue
Message-ID: <Sn74_O3hyBRgaAuRNzsGChHaX3U04QePJdd1g6twu5UsuZAoNS0Tw4wMfssJRaOwN-vHAw84cccW2TqRA8Fdx0eMCfIxWq0Xh8GwQLiN6SA=@protonmail.com>
Feedback-ID: 591568:user:proton
X-Pm-Message-ID: 61ebfcf104e22f77a307c295207181e4c3e9094a
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71226
X-Mailman-Approved-At: Thu, 30 May 2024 11:13:53 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Upstream ubuntu issue (includes possible workaround):=C2=A0https://bugs.lau=
nchpad.net/ubuntu/+source/guix/+bug/2064115

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 27 May 2024 14:55:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 27 10:55:41 2024
Received: from localhost ([127.0.0.1]:45036 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sBbl2-00016x-MT
	for submit <at> debbugs.gnu.org; Mon, 27 May 2024 10:55:41 -0400
Received: from lists.gnu.org ([209.51.188.17]:36152)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludovic.courtes@HIDDEN>) id 1sBbl0-00016p-H2
 for submit <at> debbugs.gnu.org; Mon, 27 May 2024 10:55:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1sBbkp-0006En-JU
 for bug-guix@HIDDEN; Mon, 27 May 2024 10:55:15 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
 id 1sBbkm-0004e6-Mh
 for bug-guix@HIDDEN; Mon, 27 May 2024 10:55:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc;
 h=from:to:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=7cvm6rDTJ4T2ZA7b2o46NDuQOW8r6h1Q+mhb0y1Ivw4=;
 b=rD34/5QAY3MilWbAftpQ530xja0/mUWunSABSge7WBzBpH9L8EtNdkDY
 gn1p9RgthLVXl0RcEoN6ssdQvfj3ocQd5ZYWpsNUUA2nMgmpXIcUtfWGT
 Sd0CbMlZTzvuVhjDMPnsOQdx0zgnwHcDMBGvEaM4xeMrCaZ/IN6ZI/+Ki Q=;
Authentication-Results: mail3-relais-sop.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludovic.courtes@HIDDEN;
 dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.08,192,1712613600"; d="scan'208";a="88081985"
Received: from unknown (HELO ribbon) ([193.50.110.77])
 by mail3-relais-sop.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 May 2024 16:55:08 +0200
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: bug-guix@HIDDEN
Subject: =?utf-8?Q?=E2=80=98guix?= shell =?utf-8?B?LUPigJkgZG9lc27igJl0?=
 work on Ubuntu 24.04
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Nonidi 9 Prairial an 232 de la =?utf-8?Q?R=C3=A9volu?=
 =?utf-8?Q?tion=2C?= jour du Serpolet
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 27 May 2024 16:55:07 +0200
Message-ID: <87wmnfxq2c.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=192.134.164.104;
 envelope-from=ludovic.courtes@HIDDEN;
 helo=mail3-relais-sop.national.inria.fr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

On Ubuntu 24.04, =E2=80=98guix shell -C=E2=80=99 has its child process (in =
a separate
mount namespace) fail to mount a tmpfs:

--8<---------------cut here---------------start------------->8---
294642 clone(child_stack=3DNULL, flags=3DCLONE_NEWNS|CLONE_NEWCGROUP|CLONE_=
NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) =3D 29=
4653
294642 close(15)                        =3D 0
294642 getuid()                         =3D 1000
294642 getgid()                         =3D 1000
294653 close(16)                        =3D 0
294642 openat(AT_FDCWD, "/proc/294653/setgroups", O_WRONLY|O_CREAT|O_TRUNC,=
 0666 <unfinished ...>
294653 read(15,  <unfinished ...>
294642 <... openat resumed>)            =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR)            =3D 0
294642 write(6, "deny", 4)              =3D 4
294642 close(6)                         =3D 0
294642 openat(AT_FDCWD, "/proc/294653/uid_map", O_WRONLY|O_CREAT|O_TRUNC, 0=
666) =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR)            =3D 0
294642 write(6, "1000 1000 1", 11)      =3D 11
294642 close(6)                         =3D 0
294642 openat(AT_FDCWD, "/proc/294653/gid_map", O_WRONLY|O_CREAT|O_TRUNC, 0=
666) =3D 6
294642 newfstatat(6, "", {st_mode=3DS_IFREG|0644, st_size=3D0, ...}, AT_EMP=
TY_PATH) =3D 0
294642 lseek(6, 0, SEEK_CUR)            =3D 0
294642 write(6, "1000 1000 1", 11)      =3D 11
294642 close(6)                         =3D 0
294642 write(16, "ready", 5)            =3D 5
294653 <... read resumed>"r", 1)        =3D 1
294642 write(16, "\n", 1)               =3D 1
294653 read(15, "e", 1)                 =3D 1
294642 read(16,  <unfinished ...>
294653 read(15, "a", 1)                 =3D 1
294653 read(15, "d", 1)                 =3D 1
294653 read(15, "y", 1)                 =3D 1
294653 read(15, "\n", 1)                =3D 1
294653 mount("none", "/tmp/guix-directory.3DaoGp", "tmpfs", 0, NULL) =3D -1=
 EACCES (Permission denied)
294653 write(15, "(", 1)                =3D 1
294642 <... read resumed>"(", 1)        =3D 1
294653 write(15, "system-error", 12 <unfinished ...>
--8<---------------cut here---------------end--------------->8---

(It used to work on Ubuntu 22.)

Ludo=E2=80=99.