Public bug reported:
Hi,
while debugging bug 1678322 I was running along apparmor issues.
Thanks to jjohansen we debugged some of it and eventually I was asked to report
to a bug.
Symptom:
[ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED"
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd"
rlimit=memlock value=1610612736
But none of the profiles has any rlimit statement in it:
$ grep -Hirn limit /etc/apparmor*
/etc/apparmor.d/sbin.dhclient:58: # such, if the dhclient3 daemon is
subverted, this effectively limits it to
/etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
/etc/apparmor.d/abstractions/ubuntu-helpers:64: # in limited libraries so
glibc's secure execution should be enough to not
/etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core rss
nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
The profile contains a child profile which makes reading the dumps a bit
painful, but I'll attach them anyway for you to take a look.
To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via
libvirt.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global setrlimit despite having no rlimit
rule
Status in apparmor package in Ubuntu:
New
Bug description:
Hi,
while debugging bug 1678322 I was running along apparmor issues.
Thanks to jjohansen we debugged some of it and eventually I was asked to
report to a bug.
Symptom:
[ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED"
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd"
rlimit=memlock value=1610612736
But none of the profiles has any rlimit statement in it:
$ grep -Hirn limit /etc/apparmor*
/etc/apparmor.d/sbin.dhclient:58: # such, if the dhclient3 daemon is
subverted, this effectively limits it to
/etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
/etc/apparmor.d/abstractions/ubuntu-helpers:64: # in limited libraries so
glibc's secure execution should be enough to not
/etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
The profile contains a child profile which makes reading the dumps a bit
painful, but I'll attach them anyway for you to take a look.
To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via
libvirt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
