Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BenchExec not working after upgrading from Ubuntu 23.10 to 24.04 #1041

Closed
younghojan opened this issue May 23, 2024 · 6 comments · Fixed by #1042
Closed

BenchExec not working after upgrading from Ubuntu 23.10 to 24.04 #1041

younghojan opened this issue May 23, 2024 · 6 comments · Fixed by #1042
Assignees
@younghojan
Labels
container related to container mode

Comments

@younghojan
Copy link
Member

I recently upgraded my system from Ubuntu 23.10 to 24.04, and BenchExec stopped working. I installed BenchExec from the PPA following the instructions provided here. I believe I have configured everything correctly, as python3 -m benchexec.check_cgroups did not produce any output.

However, when I run containerexec --debug /usr/bin/ls, I encounter the following error:

haoranyang@haoranyang-fudan:~/benchexec-younghojan$ containerexec --debug /usr/bin/ls
2024-05-23 20:02:47 - DEBUG - This is containerexec 3.21.
2024-05-23 20:02:47 - INFO - Starting command ls
2024-05-23 20:02:47 - DEBUG - Available Cgroups: {}
2024-05-23 20:02:47 - DEBUG - Starting process.
2024-05-23 20:02:47 - DEBUG - Parent: child process of RunExecutor with PID 12007 started.
2024-05-23 20:02:47 - DEBUG - Child: child process of RunExecutor with PID 12007 started
2024-05-23 20:02:47 - WARNING - Changing hostname in container prevented by system configuration, real hostname will leak into the container.
2024-05-23 20:02:47 - CRITICAL - Failed to configure container with operation 'fcntl.ioctl(sock, _SIOCSIFFLAGS, ifreq)': [Errno 1] Operation not permitted

BenchExec then exits with an error. This seems to be caused by Ubuntu 24.04 now restricting user namespaces by default.

Referencing the Ubuntu 24.04 LTS Release Notes, it states:

In combination with the apparmor package, the Ubuntu kernel now restricts the use of unprivileged user namespaces.

I disabled this restriction by executing:

echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns

However, this solution is temporary and will be reset upon reboot. A persistent setting can be applied by creating a new file /etc/sysctl.d/60-apparmor-namespace.conf with the following contents:

kernel.apparmor_restrict_unprivileged_userns=0

Do we need to update the BenchExec documentation to inform users about this issue and the steps to resolve it on Ubuntu 24.04?
@PhilippWendler PhilippWendler added the container related to container mode label May 23, 2024
@PhilippWendler
Copy link
Member

Thanks! I had heard rumors about this change but haven't found the time to test it yet.

Yes, we definitively want to add documentation about this to BenchExec, and we also want to detect this specific situation in BenchExec itself and print a message that tells users what they need to do (like we do here).

But first, is there a different way how users can make BenchExec work except by re-enabling unprivileged user namespaces globally? Can AppArmor be configured to allow it for BenchExec specifically? Do you happen to know this?

@younghojan
Copy link
Member Author

But first, is there a different way how users can make BenchExec work except by re-enabling unprivileged user namespaces globally? Can AppArmor be configured to allow it for BenchExec specifically? Do you happen to know this?

I guess there's another way to deal with this. It is also mentioned in Ubuntu 24.04 LTS Release Notes referenced above:

Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome 30, would look like the following, and it would be located within the /etc/apparmor.d/chrome file:

abi <abi/4.0>,

include <tunables/global>

/opt/google/chrome/chrome flags=(unconfined) {
 userns,

 # Site-specific additions and overrides. See local/README for details.
 include if exists <local/chrome>
}

Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor 68 documentation).

However, I currently know very little about AppArmor and am not quite sure.

@PhilippWendler
Copy link
Member

Ok, I think it would be possible to ship this with our Ubuntu package. But I can't test it right now, and also not all users will install from this package, so we want the added documentation and error messages anyway.

Would you like to contribute this?

@younghojan
Copy link
Member Author

Sure I'd love to! I think I just need to add the corresponding content in the Common Problems section in container.md. I'll have it done in 24 hours.

@PhilippWendler
Copy link
Member

Thanks! Would be great if the container code in BenchExec could also detect this particular case.

@younghojan younghojan self-assigned this May 24, 2024
@younghojan younghojan linked a pull request May 24, 2024 that will close this issue
fix: Add error message output to respond to the impact of Ubuntu 24.04 #1042
Merged
@younghojan younghojan mentioned this issue May 24, 2024
Merged
PhilippWendler added a commit that referenced this issue Jun 13, 2024
@PhilippWendler
Add an AppArmor profile for BenchExec to its .deb package
7753c4a 
On Ubuntu since 24.04, user namespaces are forbidden for regular users
(cf. #1041 and #1042).
There is a global sysctl switch to enable them again,
but applications whose AppArmor profile allows this can also use it.
(Typically, AppArmor only restricts application,
but in this case an AppArmor profile can actually provide a privilege
than an unconfined application does not have.)
More explanations are at
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

In order to make BenchExec usable out-of-the-box after installing
the .deb package we want to ship such an AppArmor profile.
This is made complicated by the fact that the AppArmor profile
that is necessary on Ubuntu 24.04+
breaks AppArmor on previous Ubuntu versions.
So we have to install this profile conditionally.
I found a way to do so using ucf (a tool for handling config files)
and this seems to work in my tests on Ubuntu 22.04 (old AppArmor),
Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor),
as well as installation without AppArmor present.

There are two known remaining problems:
- If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having
  BenchExec installed, the AppArmor profile will not be installed,
  so BenchExec will not work.
  Upgrading or reinstalling the BenchExec package makes it work.
- The command "python3 -m benchexec.test_tool_info" will not work,
  because the AppArmor profile won't match it.
  One has to either disable container mode or temporarily allow
  the use of user namespaces for the whole system.
  If we implement #1053 this would just work.

Part of #1041.
@PhilippWendler
Copy link
Member

Besides the improved error messages regarding this issue, the Ubuntu package of the next release of BenchExec will also ship with the necessary AppArmor config such that BenchExec works out-of-the-box again on Ubuntu. Of course, users of BenchExec who install it from git or pip or use inside a container or so will still need to change the sysctl.

@PhilippWendler PhilippWendler mentioned this issue Jun 13, 2024
Open
EshaanAgg pushed a commit to EshaanAgg/benchexec that referenced this issue Jun 28, 2024
@PhilippWendler @EshaanAgg
Add an AppArmor profile for BenchExec to its .deb package
5ba66e9 
On Ubuntu since 24.04, user namespaces are forbidden for regular users
(cf. sosy-lab#1041 and sosy-lab#1042).
There is a global sysctl switch to enable them again,
but applications whose AppArmor profile allows this can also use it.
(Typically, AppArmor only restricts application,
but in this case an AppArmor profile can actually provide a privilege
than an unconfined application does not have.)
More explanations are at
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

In order to make BenchExec usable out-of-the-box after installing
the .deb package we want to ship such an AppArmor profile.
This is made complicated by the fact that the AppArmor profile
that is necessary on Ubuntu 24.04+
breaks AppArmor on previous Ubuntu versions.
So we have to install this profile conditionally.
I found a way to do so using ucf (a tool for handling config files)
and this seems to work in my tests on Ubuntu 22.04 (old AppArmor),
Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor),
as well as installation without AppArmor present.

There are two known remaining problems:
- If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having
  BenchExec installed, the AppArmor profile will not be installed,
  so BenchExec will not work.
  Upgrading or reinstalling the BenchExec package makes it work.
- The command "python3 -m benchexec.test_tool_info" will not work,
  because the AppArmor profile won't match it.
  One has to either disable container mode or temporarily allow
  the use of user namespaces for the whole system.
  If we implement sosy-lab#1053 this would just work.

Part of sosy-lab#1041.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@younghojan younghojan

Labels
container related to container mode
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Add error message output to respond to the impact of Ubuntu 24.04 sosy-lab/benchexec
2 participants
@PhilippWendler @younghojan