Public bug reported:
Somewhere in the code path to instantiate nwfilters, libvirt fetches the
relevant network interface's index. This is done through a ioctl on a a
socket fd. This socket fd is created with socket(PF_SOCKET, SOCK_DGRAM,
0). Apparmour blocks this socket() call. According to netdevice(7):
Linux supports some standard ioctls to configure network devices.
They can be used on any socket's file descriptor regardless of the family or
type.
Changing PF_SOCKET to PF_INET works as expected. However, given how
close we are to release, I'm not super comfortable making this change,
so I'm proposing we add "network socket dgram" to
/etc/apparmor.d/usr.sbin.libvirtd instead and revisit this for natty.
Comments?
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
NWFilter support broken due to Apparmour restrictions
https://bugs.launchpad.net/bugs/646706
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
