With apparmor's 4.0 abi, access to posix message queues (/dev/mqueue)
does not happen just via the path anymore, there's a separate `mqueue`
class. With debian trixie we now have a 4.0 userspace, so we need to
allow this explicitly to get back to the pve-8 state.
Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
src/PVE/LXC.pm | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index ffedcb9..741bb33 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -592,6 +592,11 @@ sub make_apparmor_config {
# code to figure out whether we should warn the user:
my $raw = "lxc.apparmor.profile = generated\n";
+
+ # We use abi/4.0 which has its own mqueue class which governs access to
/dev/mqueue now.
+ # This is currently not default in lxc's profile, so we enable it
explicitly.
+ $raw .= "lxc.apparmor.raw = allow mqueue,\n";
+
my @profile_uses;
if ($features->{fuse}) {
--
2.47.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
