No permissions to view mounted home folder on multipass instance

[AnneCYH]

Describe the bug
"Permission denied" error when trying to view the contents of the "/home/annecyh" folder which should have been mounted when creating the "primary" instance and when manually creating instances + manually mounting folders.

ubuntu@immortal-coonhound:~$ ls /home/annecyh/
ls: reading directory '/home/annecyh/': Permission denied
ubuntu@immortal-coonhound:~$ 

Followed the instructions in the multipass docs here: https://multipass.run/docs/get-started-with-multipass-linux

Some info about the host machine:

• 2 physical hard disks. 1 hard disk has Ubuntu, 1 hard disk has Windows installed.
• Home folder encryption is enabled.

  annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ ls -A /home/
  .ecryptfs  annecyh  encrypt-temp
  

I think I used these instructions: https://www.linuxuprising.com/2018/04/how-to-encrypt-home-folder-in-ubuntu.html

Other commands that were executed while debugging the issue (but did not help resolve the issue):

snap connect multipass:home
snap connect multipass:removable-media

To Reproduce
These are all the commands that were executed on my host machine.
(The issues observed are similar on first and subsequent installations of multipass). Also attached a text file with the complete steps and terminal output.
multipass-fun.txt

# Commands on host machine
snap install multipass
snap connect multipass:home
snap connections multipass
multipass launch
multipass info immortal-coonhound
multipass mount $HOME immortal-coonhound
multipass info immortal-coonhound
multipass shell immortal-coonhound

# Commands on multipass instance
ls
ls /home/annecyh

Expected behavior
Home directory should be mounted automatically for "primary" instance, and should be mounted correctly for subsequent instances when mounted manually. I expect to be able to run ls and see the contents of the mounted home folder.

Logs
Attached the daemon log: journalctl-output.log

Also including the output of the other commands that were requested.

ls -ld /home/annecyh on host machine:

drwx------ 26 annecyh annecyh 4096 May 21 16:30 /home/annecyh

snap connections multipass on host machine:

annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ snap connections multipass
Interface          Plug                         Slot                Notes
firewall-control   multipass:firewall-control   :firewall-control   -
home               multipass:all-home           :home               -
home               multipass:home               :home               -
kvm                multipass:kvm                :kvm                -
libvirt            multipass:libvirt            -                   -
lxd                multipass:lxd                -                   -
multipass-support  multipass:multipass-support  :multipass-support  -
network            multipass:network            :network            -
network-bind       multipass:network-bind       :network-bind       -
network-control    multipass:network-control    :network-control    -
network-manager    multipass:network-manager    :network-manager    -
network-observe    multipass:network-observe    :network-observe    -
removable-media    multipass:removable-media    :removable-media    manual
system-observe     multipass:system-observe     :system-observe     -
unity7             multipass:unity7             :unity7             -
wayland            multipass:wayland            :wayland            -
x11                multipass:x11                :x11                -

lsblk -f | grep -v "^loop" on host machine:

annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ lsblk -f | grep -v "^loop"
NAME        FSTYPE FSVER LABEL     UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                
├─nvme0n1p1 vfat   FAT32 SYSTEM    3208-DF27                             219.7M    14% /boot/efi
├─nvme0n1p2                                                                            
├─nvme0n1p3 ntfs         Windows   242E0B3A2E0B0490                      127.6G    36% /media/annecyh/Windows
├─nvme0n1p4 ntfs         Data      A234B27C34B25351                      258.3G     6% /media/annecyh/Data
└─nvme0n1p5 ntfs         WinRE_DRV 4CEA0B3AEA0B2036                                    
nvme1n1                                                                                
├─nvme1n1p1                                                                            
├─nvme1n1p2 ext4   1.0             982972bb-36e7-4d4c-b6db-511c09f66529  820.4G     6% /var/snap/firefox/common/host-hunspell
│                                                                                      /
└─nvme1n1p3 swap   1               fea65242-02ee-4278-ac02-5ec0decff61c                [SWAP]

grep home /proc/self/mountinfo on host machine:

annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ grep home /proc/self/mountinfo
454 29 0:58 / /home/annecyh rw,nosuid,nodev,relatime shared:1067 - ecryptfs /home/annecyh/.Private rw,ecryptfs_fnek_sig=a23f8eedd834b64f,ecryptfs_sig=cb06bace3994efde,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs

sudo ls /home/annecyh on host machine:

annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ sudo ls /home/annecyh/
[sudo] password for annecyh: 
 Desktop     Downloads               Music      Public      Videos            canonical           kteam-docs-env
 Documents  'file.txt'   Pictures   Templates  'VirtualBox VMs'   coconut-lorikeet-1x1.JPG   snap
annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ 

Additional info

• OS: Ubuntu 24.04
• multipass version:

  multipass  1.13.1
  multipassd  1.13.1
  

• multipass info:

  annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ multipass info
  Name:           immortal-coonhound
  State:          Running
  Snapshots:      0
  IPv4:           10.15.1.8
  Release:        Ubuntu 24.04 LTS
  Image hash:     32a9d30d1880 (Ubuntu 24.04 LTS)
  CPU(s):         1
  Load:           0.08 0.02 0.01
  Disk usage:     1.5GiB out of 4.8GiB
  Memory usage:   326.2MiB out of 956.1MiB
  Mounts:         /home/annecyh => /home/annecyh
                      UID map: 1000:default
                      GID map: 1000:default
  

• multipass get local.driver:

  annecyh@annecyh-ThinkPad-E16-Gen-1 ~ $ multipass get local.driver
  qemu
  

Additional context
N/A.

Thank you mutlipass team!

[sharder996]

Thanks for the detailed report @AnneCYH!

I am able to reproduce and will look into this

[sharder996]

Ok, the issue here is that the apparmor profile for the sshfs server used to serve the mount does not include the mount target of the encrypted directory. This is because we do not recursively follow all mounts/symlinks within mounted directories and allow access to them, just the top level directory itself.

[sharder996]

@AnneCYH As a workaround for the time being, you can define the mount so that the mount target is included in the mount. For example, it looks like the the default directory is /home/.ecryptfs/<user>/.Private/ so mounting /home into the instance includes the mount target as well as your own home directory and should work as intended.

[ricab]

I don't think there is much we can do about this. We could document mounting /home as a workaround, but it might be too specific to this case for generic documentation. Something to think about perhaps.