For documentation purpose here an update. I found that the last thing libvirt calls is "prlimit"
In glibc that is implemented as syscall prlimit64. That in turn is on 64 bit: #define __NR_prlimit64 302 According to the doc of prlimit it needs a capability: To set or get the resources of a process other than itself, the caller must have "the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs of the target process must match the real user ID of the caller and the real, effective, and saved set group IDs of the target process must match the real group ID of the caller." But the profile already holds that with a suspicious comment above it matching my testcase: # Needed for vfio capability sys_resource, Did something get more strict, maybe a mismatch on prlimit/setrlimit/syscall mapping here? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1679704 Title: libvirt profile is blocking global setrlimit despite having no rlimit rule To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1679704/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs