[Touch-packages] [Bug 1679704] Re: libvirt profile is blocking global setrlimit despite having no rlimit rule

Thu, 06 Apr 2017 02:36:38 -0700 

Leveraging from the original bug this came from when debugging:

As a workaround for the case reported a user might set memtune options for the 
guest like this:
  <memtune>
    <hard_limit unit='KiB'>16961536</hard_limit>
    <soft_limit unit='KiB'>16961536</soft_limit>
  </memtune>

Needed numbers may vary depending on the case.
Ugly but a workaround at least.

This is still really awkward, at least we need to understand why it is even 
blocking when it should not.
If there is no fix that makes it "just work" I'm fine SRUing something into the 
libvirt/qemu profiles but we'd need to know what and so far we don't.

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

Status in apparmor package in Ubuntu:
  New

Bug description:
  Hi,
  while debugging bug 1678322 I was running along apparmor issues.
  Thanks to jjohansen we debugged some of it and eventually I was asked to 
report to a bug.

  Symptom:
  [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" 
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" 
rlimit=memlock value=1610612736

  But none of the profiles has any rlimit statement in it:
  $ grep -Hirn limit /etc/apparmor*
  /etc/apparmor.d/sbin.dhclient:58:  # such, if the dhclient3 daemon is 
subverted, this effectively limits it to
  /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
  /etc/apparmor.d/abstractions/ubuntu-helpers:64:  # in limited libraries so 
glibc's secure execution should be enough to not
  /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core 
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

  
  The profile contains a child profile which makes reading the dumps a bit 
painful, but I'll attach them anyway for you to take a look.
  To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via 
libvirt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to