From d911ab0c473f7fba18c4739673522270bbe8d1e3 Mon Sep 17 00:00:00 2001
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Thu, 27 Jun 2024 12:08:44 +0200
Subject: [PATCH] lxd/apparmor/instance_qemu: relax proc rules a bit to
 workaround bug in AppArmor

For some reason (bug in AppArmor?):
  owner @{PROC}/@{pid}/cpuset                     r,
  owner @{PROC}/@{pid}/task/@{tid}/comm           rw,
rules don't work properly and forbid perfectly legal access of Qemu to proc:
[13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0

I've noticed, that removing the "owner" keyword makes it work.
Let's do this, despite it relaxes profile and makes things less secure,
I can't really see any serious security impact from that change.

This only reproducible when core24 is used (new AppArmor) and
ceph volume is attached to the VM.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 lxd/apparmor/instance_qemu.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index bab4603ac406..5f00c1e2e190 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -41,8 +41,8 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   /{,usr/}bin/qemu-system-*                 mrix,
   /usr/share/qemu/**                        kr,
   /usr/share/seabios/**                     kr,
-  owner @{PROC}/@{pid}/cpuset               r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm     rw,
+  @{PROC}/@{pid}/cpuset                     r,
+  @{PROC}/@{pid}/task/@{tid}/comm           rw,
   {{ .rootPath }}/etc/nsswitch.conf         r,
   {{ .rootPath }}/etc/passwd                r,
   {{ .rootPath }}/etc/group                 r,