For documentation purpose here an update. I found that the last thing libvirt calls is "prlimit"
In glibc that is implemented as syscall prlimit64. That in turn is on 64 bit: #define __NR_prlimit64 302 According to the doc of prlimit it needs a capability: To set or get the resources of a process other than itself, the caller must have "the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs of the target process must match the real user ID of the caller and the real, effective, and saved set group IDs of the target process must match the real group ID of the caller." But the profile already holds that with a suspicious comment above it matching my testcase: # Needed for vfio capability sys_resource, Did something get more strict, maybe a mismatch on prlimit/setrlimit/syscall mapping here? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1679704 Title: libvirt profile is blocking global setrlimit despite having no rlimit rule Status in apparmor package in Ubuntu: New Bug description: Hi, while debugging bug 1678322 I was running along apparmor issues. Thanks to jjohansen we debugged some of it and eventually I was asked to report to a bug. Symptom: [ 8976.950635] audit: type=1400 audit(1491310016.224:48): apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/libvirtd" pid=10034 comm="libvirtd" rlimit=memlock value=1610612736 But none of the profiles has any rlimit statement in it: $ grep -Hirn limit /etc/apparmor* /etc/apparmor.d/sbin.dhclient:58: # such, if the dhclient3 daemon is subverted, this effectively limits it to /etc/apparmor.d/abstractions/ubuntu-helpers:16:# Limitations: /etc/apparmor.d/abstractions/ubuntu-helpers:64: # in limited libraries so glibc's secure execution should be enough to not /etc/apparmor.d/cache/.features:13:rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime The profile contains a child profile which makes reading the dumps a bit painful, but I'll attach them anyway for you to take a look. To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via libvirt. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
