Now the abstraction used in this case via:
#include <abstractions/libvirt-qemu>
Held the following statement like for ages just for this use:
/dev/ptmx rw,
Please note the difference since the Deny is on:
/dev/pts/ptmx
That is especially notworthy since the former is just a link to the latter:
$ ll /dev/ptmx
lrwxrwxrwx 1 root root 13 Apr 20 17:19 /dev/ptmx -> /dev/pts/ptmx
So now inside the container apparmor resolves the path to be checked to
"/dev/pts/ptmx".
Maybe it did all the time, but before profile stacking it didn't matter, but
now it does.
Eventually we might just add /dev/pts/ptmx to the profile, but understanding
why it detects the path. It could after all be an LXD issue (not saying that it
has to be fixed there). It seems LXD binds these as:
'/dev/pts/ptmx'->'/dev/ptmx
At least that is what most search hits on the two paths showed me like in bug
1507959
That said this could be the reason why in this kvm-in-lxd case the path
is no more resolved and checked by apparmor on /dev/ptmx which is
allowed, but on /dev/pts/ptmx instead.
Is this something to be adressed in LXD or in apparmor or just a line to the
libvirt profile - I'm not sure.
Setting LXD to new again to get Stephanes expertise again on that ptmx mapping.
** Changed in: lxd (Ubuntu)
Status: Invalid => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1684481
Title:
KVM guest execution start apparmor blocks on /dev/ptmx now
(regression?)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1684481/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
