Per bug 1763427 this is Fix released since 4.15.0-18.19
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global setrlimit despite having no rlimit
rule
Status in The Ubuntu-power-systems project:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
Hi,
while debugging bug 1678322 I was running along apparmor issues.
Thanks to jjohansen we debugged some of it and eventually I was asked to
report to a bug.
Symptom:
[ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED"
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd"
rlimit=memlock value=1610612736
But none of the profiles has any rlimit statement in it:
$ grep -Hirn limit /etc/apparmor*
/etc/apparmor.d/sbin.dhclient:58: # such, if the dhclient3 daemon is
subverted, this effectively limits it to
/etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations:
/etc/apparmor.d/abstractions/ubuntu-helpers:64: # in limited libraries so
glibc's secure execution should be enough to not
/etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core
rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
The profile contains a child profile which makes reading the dumps a bit
painful, but I'll attach them anyway for you to take a look.
To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via
libvirt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
