Thank John, as extra info on the ptmx pathing. Host: $ ls -laF /dev/ptmx /dev/pts/ptmx crw-rw-rw- 1 root root 5, 2 Apr 21 2017 /dev/ptmx c--------- 1 root root 5, 2 Apr 12 17:36 /dev/pts/ptmx
Container: $ lxc exec testkvm-xenial-from -- ls -laF /dev/ptmx /dev/pts/ptmx lrwxrwxrwx 1 root root 13 Apr 20 17:19 /dev/ptmx -> /dev/pts/ptmx crw-rw-rw- 1 root root 5, 2 Apr 20 17:19 /dev/pts/ptmx That plus your explanation on "mediation after symlink" explains why we see this. In the non container case it is NOT a symlink, it will open /dev/ptmx and that is the path apparmor mediates and things work. But in the container case it is a symlink, so it is resolved before mediation and the new path in /dev/pts/ptmx is blocked by the profile. @Stephane - could/would lxd be able to do that in a way without the symlink but "as in the host"? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1684481 Title: KVM guest execution start apparmor blocks on /dev/ptmx now (regression?) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1684481/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
