Systemd-tmpfiles --create fails in unprivileged archlinux containers

Noticed this on multiple incus deployments where running something like pacman -S openssh fails at (3/4) Creating temporary files.... It dumps out fchownat() of /sys/kernel/security/ima/binary_runtime_measurements failed: Permission denied which makes sense because binary_runtime_measurements is unreadable, and probably shouldn’t be.

This appears to happen because systemd-tmpfiles has /sys/kernel/security/ima/binary_runtime_measurements (and /sys/kernel/security/tpm[0-9]/binary_bios_measurements) is configured in /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf to adjust access mode to 0440.

Simple fix (for me) is to comment out those two lines in tpm2-tss-fapi.conf - whether that’s “correct” or not (or should be included in the archlinux image in the first place) is another discussion.

Reproduction steps:

  1. Create a new archlinux container: incus launch images:archlinux my-archlinux-instance
  2. Launch a root shell in it, and execute: pacman -S openssh
  3. Expect it to fail :slight_smile:

Environment:

  • incus 6.4
  • Debian 12, linux 6.1.0-23-amd64

Dumping the entire pacman output in case someone else runs into this and finds nothing about when searching the internet:

[root@hostname ~]# pacman -S openssh
warning: openssh-9.8p1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) openssh-9.8p1-1

Total Installed Size:  5.71 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring          [...] 100%
(1/1) checking package integrity        [...] 100%
(1/1) loading package files             [...] 100%
(1/1) checking for file conflicts       [...] 100%
(1/1) checking available disk space     [...] 100%
:: Processing package changes...
(1/1) reinstalling openssh              [...] 100%
:: Running post-transaction hooks...
(1/4) Reloading system manager configuration...
(2/4) Reloading user manager configuration...
(3/4) Creating temporary files...
fchownat() of /sys/kernel/security/ima/binary_runtime_measurements failed: Permission denied
error: command failed to execute correctly
(4/4) Arming ConditionNeedsUpdate...
1 Like

Sounds like that particular file is system-wide and not per-container, which is why you can’t change its permission. I don’t know if it’s possible to specify in the tmpfiles.d configuration that failure should be ignored for a particular file, but if it is, it’d be good for that to be applied to this entry in the relevant archlinux package.