[Bug 2078597] Re: Failed to flush binfmt_misc rules, ignoring: Permission denied
Hadmut Danisch
2078597 at bugs.launchpad.net
Tue Sep 10 15:45:49 UTC 2024
security.nesting: "true"
security.privileged: "true"
But maybe looking for /proc/sys/fs/binfmt_misc may be the trap, because
it is not just a matter of beeing mounted and rw, there's also some
trouble with apparmor. E.g. on the machine
# ls -lF /proc/sys/fs
total 0
-rw-r--r-- 1 root root 0 Sep 10 18:36 aio-max-nr
-r--r--r-- 1 root root 0 Sep 10 18:36 aio-nr
drwxr-xr-x 2 root root 0 Sep 10 18:29 binfmt_misc/
-r--r--r-- 1 root root 0 Sep 10 18:36 dentry-state
-rw-r--r-- 1 root root 0 Sep 10 18:36 dir-notify-enable
dr-xr-xr-x 1 root root 0 Sep 10 18:36 epoll/
dr-xr-xr-x 1 root root 0 Sep 10 18:36 fanotify/
-rw-r--r-- 1 root root 0 Sep 10 18:30 file-max
-r--r--r-- 1 root root 0 Sep 10 18:36 file-nr
-r--r--r-- 1 root root 0 Sep 10 18:36 inode-nr
-r--r--r-- 1 root root 0 Sep 10 18:36 inode-state
dr-xr-xr-x 1 root root 0 Sep 10 18:36 inotify/
-rw-r--r-- 1 root root 0 Sep 10 18:36 lease-break-time
-rw-r--r-- 1 root root 0 Sep 10 18:36 leases-enable
-rw-r--r-- 1 root root 0 Sep 10 18:36 mount-max
dr-xr-xr-x 1 root root 0 Sep 10 18:36 mqueue/
-rw-r--r-- 1 root root 0 Sep 10 18:30 nr_open
-rw-r--r-- 1 root root 0 Sep 10 18:36 overflowgid
-rw-r--r-- 1 root root 0 Sep 10 18:36 overflowuid
-rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-max-size
-rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-user-pages-hard
-rw-r--r-- 1 root root 0 Sep 10 18:36 pipe-user-pages-soft
-rw-r--r-- 1 root root 0 Sep 10 18:30 protected_fifos
-rw-r--r-- 1 root root 0 Sep 10 18:30 protected_hardlinks
-rw-r--r-- 1 root root 0 Sep 10 18:30 protected_regular
-rw-r--r-- 1 root root 0 Sep 10 18:30 protected_symlinks
dr-xr-xr-x 1 root root 0 Sep 10 18:36 quota/
-rw-r--r-- 1 root root 0 Sep 10 18:36 suid_dumpable
dr-xr-xr-x 1 root root 0 Sep 10 18:36 verity/
shows binfmt_misc as readable, and I am root. But:
# ls -lF /proc/sys/fs/binfmt_misc
ls: cannot open directory '/proc/sys/fs/binfmt_misc': Permission denied
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2078597
Title:
Failed to flush binfmt_misc rules, ignoring: Permission denied
Status in systemd package in Ubuntu:
Incomplete
Bug description:
After upgrading an LXD guest machine from 22.04 to 24.04.1, system
isn't healthy, systemctl complains that systemd-binfmt.service fails:
Aug 31 19:23:51 install systemd-binfmt[1147]: Failed to flush binfmt_misc rules, ignoring: Permission denied
Aug 31 19:23:51 install systemd-binfmt[1147]: /usr/lib/binfmt.d/python3.12.conf:1: Failed to delete rule 'python3.12', ignoring: Permission denied
Aug 31 19:23:51 install systemd-binfmt[1147]: /usr/lib/binfmt.d/python3.12.conf:1: Failed to add binary format 'python3.12': Permission denied
Aug 31 19:23:51 install systemd[1]: systemd-binfmt.service: Main process exited, code=exited, status=1/FAILURE
Aug 31 19:23:51 install systemd[1]: systemd-binfmt.service: Failed with result 'exit-code'.
Aug 31 19:23:51 install systemd[1]: Failed to start systemd-binfmt.service - Set Up Additional Binary Formats.
Reason:
# strace -s 80 /usr/lib/systemd/systemd-binfmt |& fgrep EACCES
openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/status", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/python3.12", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/proc/sys/fs/binfmt_misc/register", O_WRONLY|O_NOCTTY|O_CLOEXEC) = -1 EACCES (Permission denied)
There is (like with other programs) a problem with latest LXD/24.04/apparmor settings. podman/docker also don't run without workarounds in apparmor.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: systemd 255.4-1ubuntu8.4
ProcVersionSignature: Ubuntu 6.8.0-41.41-generic 6.8.12
Uname: Linux 6.8.0-41-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.1
Architecture: amd64
CasperMD5CheckResult: unknown
CloudBuildName: server
CloudSerial: 20221101.1
Date: Sun Sep 1 02:10:13 2024
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 1c4f:0063 SiGma Micro Touchpad (integrated in detachable keyboard of Chuwi SurBook)
Bus 001 Device 003: ID 13d3:3458 IMC Networks Bluetooth Radio
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-41-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro
SourcePackage: systemd
SystemdFailedUnits:
Error: command ['systemctl', 'status', '--full', '●'] failed with exit code 4: Invalid unit name "●" escaped as "\xe2\x97\x8f" (maybe you should use systemd-escape?).
Unit \xe2\x97\x8f.service could not be found.
------
Error: command ['systemctl', 'status', '--full', '●'] failed with exit code 4: Invalid unit name "●" escaped as "\xe2\x97\x8f" (maybe you should use systemd-escape?).
Unit \xe2\x97\x8f.service could not be found.
UpgradeStatus: Upgraded to noble on 2024-08-31 (0 days ago)
dmi.bios.date: 04/10/2017
dmi.bios.release: 5.6
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: P1.70
dmi.board.name: J3160-NUC
dmi.board.vendor: ASRock
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP1.70:bd04/10/2017:br5.6:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnJ3160-NUC:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:skuToBeFilledByO.E.M.:
dmi.product.family: To Be Filled By O.E.M.
dmi.product.name: To Be Filled By O.E.M.
dmi.product.sku: To Be Filled By O.E.M.
dmi.product.version: To Be Filled By O.E.M.
dmi.sys.vendor: To Be Filled By O.E.M.
modified.conffile..etc.init.d.apport: [modified]
mtime.conffile..etc.init.d.apport: 2024-07-22T17:59:07
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2078597/+subscriptions
More information about the foundations-bugs
mailing list