Now the abstraction used in this case via: #include <abstractions/libvirt-qemu>
Held the following statement like for ages just for this use: /dev/ptmx rw, Please note the difference since the Deny is on: /dev/pts/ptmx That is especially notworthy since the former is just a link to the latter: $ ll /dev/ptmx lrwxrwxrwx 1 root root 13 Apr 20 17:19 /dev/ptmx -> /dev/pts/ptmx So now inside the container apparmor resolves the path to be checked to "/dev/pts/ptmx". Maybe it did all the time, but before profile stacking it didn't matter, but now it does. Eventually we might just add /dev/pts/ptmx to the profile, but understanding why it detects the path. It could after all be an LXD issue (not saying that it has to be fixed there). It seems LXD binds these as: '/dev/pts/ptmx'->'/dev/ptmx At least that is what most search hits on the two paths showed me like in bug 1507959 That said this could be the reason why in this kvm-in-lxd case the path is no more resolved and checked by apparmor on /dev/ptmx which is allowed, but on /dev/pts/ptmx instead. Is this something to be adressed in LXD or in apparmor or just a line to the libvirt profile - I'm not sure. Setting LXD to new again to get Stephanes expertise again on that ptmx mapping. ** Changed in: lxd (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1684481 Title: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1684481/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs