On 12/06/2017 10:09 AM, intrigeri wrote: > Hi, > > Felix Geyer: >> With feature pinning enabled the parser seem to not load the mount rules but >> the >> kernel still somewhat enforces mount mediation. > >> For example starting a libvirt qemu VM fails with: >> AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 >> profile="/usr/sbin/libvirtd" name="/" pid=8043 comm="libvirtd" flags="rw, >> rslave" > >> The libvirtd profile simply has a "mount," rule. > >> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41 >> (same problem with stretch-pu) > > Ouch. We had a similar problem for network rules but I had no idea we > have one for mount rules as well (I'm running without the pinning > myself, in order to identify issues early so we can update the policy > before we bump the pinned feature set). > > For sid, I think we should simply bump the pinned feature set to > 4.14's: it's easier to fix policy than to deal with kernel bugs. > Cc'ing John so he's aware of this kernel bug. > > For Stretch, my proposed update shall be reverted. I'll follow up on > the corresponding release.d.o bug. >
Ouch sorry, I'll get a patch together for the kernel. With that said it is possible to have a work around in the compiler so userspace patching is possible, if we hit a need to do so to support an existing release.
