mkosi icon indicating copy to clipboard operation
mkosi copied to clipboard

Published 20 hours ago • verified publisher icon systemd

AppArmor config documented in man page doesn't work with pipx

Open bjackman opened this issue 10 months ago • 1 comments

mkosi commit the issue has been seen with

main

Used host distribution

Ubuntu 24.04.1

Used target distribution

No response

Linux kernel version used

No response

CPU architectures issue was seen on

None

Unexpected behaviour you saw

In https://github.com/systemd/mkosi/issues/3265 I reported issues with unprivileged user namespace creation on locked-down distros and documented a solution for Ubuntu 24.04.1.

However, I've just realised this is incompatible with the pipx installation method documented on the README. It only works for me when I run mkosi directly from the repo.

I've asked for help here as I guess this is something of an expert AppArmor configuration topic.

Perhaps in the meantime we should just document that Ubuntu users should avoid pipx installation?

Used mkosi config

No response

mkosi output

No response

bjackman avatar Dec 29 '24 18:12 bjackman

@bjackman: mkosi installed using pipx v1.6.0 on Ubuntu 24.10 works for me.

Took slightly different steps:

  • Using root privileges to make the installation "global". Didn't attempt a per-user installation.
  • Resolving the executable symlink before creating the apparmor profile.
# NOTE: install mkosi "globally".
# NOTE: "--global" requires pipx v1.5.0 (2024-03-29) or newer.
sudo pipx install --global git+https://github.com/systemd/mkosi.git

# NOTE: resolve symlinks to find the on-disk path to mkosi.
# NOTE: on my system the path is: /opt/pipx/venvs/mkosi/bin/mkosi
ls -l "$(realpath "$(which mkosi)")"

# NOTE: create apparmor profile.
# NOTE: if your on-disk path differs, change both the filename and path below.
<<-'EOF' sudo tee /etc/apparmor.d/opt.pipx.venvs.mkosi.bin.mkosi >/dev/null
	abi <abi/4.0>,

	include <tunables/global>

	/opt/pipx/venvs/mkosi/bin/mkosi flags=(default_allow) {
	  userns,
	}
EOF

(Note: pipx reports mkosi v25.3, but mkosi --version shows mkosi 26~devel.)

Quoting the question on AskUbuntu:

I think this is because pipx is running the tool via some indirection that breaks the connection to the AppArmor profile.

Perhaps the difference lies in using the "real" on-disk path to mkosi, or perhaps it's the "global" installation path. Not familiar enough with apparmor to know for sure.

Did not investigate the Ubuntu/Debian package sources (for apt) to find their apparmor magic; it may also belong to a dependency.

joelpurra avatar Feb 13 '25 09:02 joelpurra