[apparmor] Bug#847370: Recent apparmor broke "virsh lxc-enter"
seth.arnold at canonical.com
Mon Dec 19 20:35:51 UTC 2016
On Mon, Dec 19, 2016 at 12:17:55PM +0100, intrigeri wrote:
> Guido Günther:
> >> Well, info="Failed name lookup - disconnected path" does ring a bell.
> >> It might be that the libvirtd profile needs the attach_disconnected
> >> flag (there are plenty of examples that do in my /etc/apparmor.d).
I don't know much about libvirt's containers support but the error
messages from the bug:
+ virsh lxc-enter-namespace --noseclabel sl /bin/ls /bin/ls
libvirt: error : Expected at least one file descriptor
error: internal error: Child process (2714) unexpected exit status 125
give me the impression that the error happens very early and very quickly.
The name="" from the audit logs gives me the impression that the profilesd
container was trying to find /. This doesn't feel like a recent change to
Are we sure that libvirt's containers support has had working AppArmor
To my knowledge the most recent upstream kernel change that broke existing
profiles is this commit:
But that would probably show up as denied 'm' permissions on an executable
or libraries, not 'r' permissions on what is probably the container's new
root filesystem. This would really only show up once a process within the
container tries to execute a program. The above errors feel like they're
well before the point of trying to exec a program in the container.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: not available
More information about the AppArmor