GNU bug report logs - #71226
‘guix shell -C’ doesn’t work on Ubuntu 24.04

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Date: Mon, 27 May 2024 14:56:01 UTC

Severity: important

Full log

Message #37 received at 71226 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 71226 <at> debbugs.gnu.org,
 Marek Felšöci <marek.felsoci <at> lip6.fr>
Subject: Re: bug#71226: ‘guix shell -C’ doesn’t work on Ubuntu 24.04
Date: Thu, 16 Jan 2025 09:19:58 +0100

Ricardo Wurmus <rekado <at> elephly.net> skribis:

> Marek Felšöci <marek.felsoci <at> lip6.fr> writes:
>
>> I get an access denied error on the ".guix/channels.scm" file which I
>> own and have access to.
>>
>> I tried to play around with the AppArmor profile, but with no
>> success. Are we still missing something?
>
> Do you see any relevant information in the AppArmor logs?

I actually have a similar error:

--8<---------------cut here---------------start------------->8---
$ guix time-machine -- shell -C hello
guix time-machine: error: failed to load '/builds/.config/guix/channels.scm': Permission denied
$ sudo dmesg | tail -4
[489967.069070] audit: type=1400 audit(1737015245.640:166): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[489967.069236] audit: type=1400 audit(1737015245.640:167): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16585 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443246] audit: type=1400 audit(1737015290.015:168): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[490011.443371] audit: type=1400 audit(1737015290.015:169): apparmor="DENIED" operation="open" class="file" profile="guix-shell" name="/builds/.config/guix/channels.scm" pid=16597 comm="guix" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
$ ls -l /builds/.config/guix/channels.scm
-rw-rw-r-- 1 ci ci 147 Dec 27 11:28 /builds/.config/guix/channels.scm
$ id
uid=1000(ci) gid=1000(ci) groups=1000(ci)
--8<---------------cut here---------------end--------------->8---

I think the problem we have is that the AppArmor profile now applies to
all ‘guix’ invocations but it doesn’t specify that ‘guix’ can access
user-owned files.  I guess I did something wrong because that means that
this profile is in fact more restrictive than the default one.

Is there a way to say we want to inherit the default profile and only
relax it?

Ludo’.
This bug report was last modified 22 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.