Package: apparmor Version: 2.11.1-1 Severity: important Feature pinning breaks mount() of confined processes with kernel 4.14.
With feature pinning enabled the parser seem to not load the mount rules but the kernel still somewhat enforces mount mediation. For example starting a libvirt qemu VM fails with: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/sbin/libvirtd" name="/" pid=8043 comm="libvirtd" flags="rw, rslave" The libvirtd profile simply has a "mount," rule. See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41 (same problem with stretch-pu) Disable the features-file option in /etc/apparmor/parser.conf works around the problem. Felix
