Instance: Relax apparmor QEMU proc rules a bit to workaround bug #13673
Commits on Jun 27, 2024
-
lxd/apparmor/instance_qemu: relax proc rules a bit to workaround bug …
…in AppArmor For some reason (bug in AppArmor?): owner @{PROC}/@{pid}/cpuset r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, rules don't work properly and forbid perfectly legal access of Qemu to proc: [13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0 I've noticed, that removing the "owner" keyword makes it work. Let's do this, despite it relaxes profile and makes things less secure, I can't really see any serious security impact from that change. This only reproducible when core24 is used (new AppArmor) and ceph volume is attached to the VM. Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.