Per bug 1763427 this is Fix released since 4.15.0-18.19
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
** Changed in: ubuntu-power-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is
** Changed in: apparmor (Ubuntu)
Status: In Progress => Fix Committed
** Changed in: ubuntu-power-systems
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Tested the interim version from [1]
TL;DR: with that it is working
base: 4.15.0-13
proposed fix: 4.15.0.16.17
## Base ##
$virsh attach-device cpaelzer-bionic hp512.xml
error: Failed to attach device from hp512.xml
error: cannot limit locked memory of process 10121 to 96468992: Permission
denied
Test kernel somewhere that supports PPC64?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global setrlimit despite having no
A merge proposal to incl. the fixes was sent to the kernel-team.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global
So I have been looking at this again, and have found a couple issues.
1. Where prlimit is concerned. AppArmor adds an addition restriction on
when cap sys_resource is required. The CAP_SYS_RESOURCE capability is
required if the target processes label does not match that of the
caller.
Hence why
** Tags added: triage-a
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global setrlimit despite having no rlimit
rule
Example Deny:
[ 774.341606] audit: type=1400 audit(1522915593.238:42): apparmor="DENIED"
operation="setrlimit" info="cap_sys_resource" error=-13
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"
Source:
FYI: Test case of the mem hotplug in
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153/comments/7
Only triggers on powerpc as they lock some memory while doing so (x86
does not).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which
** Tags removed: severity-high
** Tags added: severity-critical
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global
** Changed in: ubuntu-power-systems
Assignee: (unassigned) => Canonical Security Team (canonical-security)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
** Also affects: ubuntu-power-systems
Importance: Undecided
Status: New
** Changed in: ubuntu-power-systems
Importance: Undecided => Critical
** Changed in: ubuntu-power-systems
Status: New => In Progress
--
You received this bug notification because you are a member of
We have another hit of this by memory hot plug (when locked I assume).
I asked the reporters to chime in here.
But even for the former case we had given the time we wait already I want to
bump the prio.
This is really important to some use cases.
** Changed in: apparmor (Ubuntu)
Importance:
** Tags added: ppc64el
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is blocking global setrlimit despite having no rlimit
rule
Status
In testing newer virt stack I still hit this and need the workarounds to get it
to work :-/
Any update and/or ETA on this?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
HI Lagarcia,
I came by on another activity again - but we have to ask @JJohansen what the
status of this is.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
FYI - the remaining related rules that were blocking us are now SRU'ed.
For now I was verifying with manually increaseing the prlimit and things
worked, therefore I assume that this bug over here is the remaining one for the
overall case that was initially reported.
So I dupped the other bug
Every release that supports prlimit is at least partially affected.
However the xenial, yakkety, zesty releases that have support stacking
code compound the issue.
I'll look into the ppc64el build, I'm sure its possible it just one that
I have never done a test kernel for so I will have to learn
Also updating the bug status to match current work.
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => John Johansen (jjohansen)
** Changed in: apparmor (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
@JJohansen - for testing I'd need that for ppc64el if possible.
My x86 machines go often down due to FW bugs if testing these cases.
Any chance to build a test kernel for that arch?
Since you have a test kernel it seems you have found the issue.
What is the way of delivery for this - normal
--- Comment From lagar...@br.ibm.com 2017-04-13 21:07 EDT---
Please, reverse mirror LP1679704 (libvirt profile is blocking global setrlimit
despite having no rlimit rule).
** Tags added: architecture-ppc64le bugnameltc-153457 severity-high
targetmilestone-inin1704
--
You received this
I have placed amd64 test kernels at
http://people.canonical.com/~jj/lp1679704/
It fixes the complain issue, which should let you proceed without
removing the profile and I am working on a regression test to add to the
test suite.
--
You received this bug notification because you are a member of
Also even when setting the profile to aa-complain I see:
[14406.210381] audit: type=1400 audit(1491482071.335:67): apparmor="ALLOWED"
operation="setrlimit" profile="/usr/sbin/libvirtd" pid=7674 comm="libvirtd"
rlimit=memlock value=2164260864
So far so good, but still the value is not raised.
As
Ok, by the recent insight this bug IS blocking the final resolution of bug
1678322.
I'll work on the other bits of that bug and we will see how this one here turns
out.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Very interesting disabling the profile completely via
$ sudo aa-disable /usr/sbin/libvirtd
makes it working, so apparmor is involved in some way.
I'm still puzzled that the ALLOWED makes it a no-op still.
Anyway waiting for your reply - thanks a lot already jjohansen for the
IRC discussions!
For documentation purpose here an update.
I found that the last thing libvirt calls is "prlimit"
In glibc that is implemented as syscall prlimit64.
That in turn is on 64 bit:
#define __NR_prlimit64 302
According to the doc of prlimit it needs a capability:
To set or get the resources of a
Leveraging from the original bug this came from when debugging:
As a workaround for the case reported a user might set memtune options for the
guest like this:
16961536
16961536
Needed numbers may vary depending on the case.
Ugly but a workaround at least.
This is still really
Hi Seth,
so far confirmed on ppc64el and x86.
I haven't tried more, but usually after two it affects all of them.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Christian, which architecture is this? ISTR some arch having troubles
with rlimit and I can't recall details now.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Error in iLO links to
http://h17007.www1.hpe.com/docs/enterprise/servers/gen9/tsg/244937.htm
But since multiple systems trigger it I'd not say "hardware is physically
damaged".
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed
** Attachment added: "re-parsed file: apparmor_parser -QT -o file1
/etc/apparmor.d/usr.sbin.libvirtd"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+attachment/4854331/+files/file1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
The profiles and all the rest of the system is default zesty without
modifications.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1679704
Title:
libvirt profile is
** Attachment added:
"/sys/kernel/security/apparmor/policy/profiles/usr.sbin.libvirtd.13/raw_data"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+attachment/4854332/+files/usr.sbin.libvirtd.13-raw-data
--
You received this bug notification because you are a member of
34 matches
Mail list logo
