On 09/25/2017 12:16 PM, Vincas Dargis wrote: > I can provide merge request, and I would like to suggest simplifying > that ever-growing expression. > > Couldn't it be just [0-9]*? Are there possibility that `/proc` will have well it could but, its not as tight as I would like, ideally we could give access to more than just apparmorre and make this tighter.
well actually ideally this will switch over to a kernel var, but that is not ready yet > some item, starting with digit, *not* being a pid? > I don't know of any atm, its possible but unlikely -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1717714 Title: @{pid} variable broken on systems with pid_max more than 6 digits Status in AppArmor: New Status in apparmor package in Ubuntu: New Bug description: If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it. @{pid} is defined in /etc/apparmor.d/tunables: @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} It only covers up to 6 digits. This Ubuntu 17.04 system has: kernel.pid_max = 4194303 And is showing type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111 Which should be matched by @{PROC}/sys/vm/overcommit_memory r, in /etc/apparmor.d/abstractions/libvirt-qemu I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17) I am aware this is a non-default configuration, but I think this should work. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
