[apparmor] Bug#847370: Recent apparmor broke "virsh lxc-enter"

Seth Arnold seth.arnold at canonical.com
Mon Dec 19 20:35:51 UTC 2016

On Mon, Dec 19, 2016 at 12:17:55PM +0100, intrigeri wrote:
> Guido Günther:
> >> Well, info="Failed name lookup - disconnected path" does ring a bell.
> >> It might be that the libvirtd profile needs the attach_disconnected
> >> flag (there are plenty of examples that do in my /etc/apparmor.d).

I don't know much about libvirt's containers support but the error
messages from the bug:

    + virsh lxc-enter-namespace --noseclabel sl /bin/ls /bin/ls
    libvirt:  error : Expected at least one file descriptor
    error: internal error: Child process (2714) unexpected exit status 125

give me the impression that the error happens very early and very quickly.
The name="" from the audit logs gives me the impression that the profilesd
container was trying to find /. This doesn't feel like a recent change to

Are we sure that libvirt's containers support has had working AppArmor
support before?

To my knowledge the most recent upstream kernel change that broke existing
profiles is this commit:


But that would probably show up as denied 'm' permissions on an executable
or libraries, not 'r' permissions on what is probably the container's new
root filesystem. This would really only show up once a process within the
container tries to execute a program. The above errors feel like they're
well before the point of trying to exec a program in the container.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161219/13dc9142/attachment.pgp>

More information about the AppArmor mailing list