Example Deny:
[  774.341606] audit: type=1400 audit(1522915593.238:42): apparmor="DENIED" 
operation="setrlimit" info="cap_sys_resource" error=-13 
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock 
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"

Source: libvirt
Target: qemu process libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3
Action: change rlimits

TL;DR to re-summarize:
- certain actions let libvirt change the rlimit of the qemu guest
  - such actions are memory hotplug on ppc
  - pci hotplug of some devices
- libvirtd apparmor profile allows cap_sys_resource
- there is no rlimit rule restricting that in the profile
- a bug in the kernel part of apparmor blocks this and breaks the use-case
- as prechecked by jjohansen he seems to have an idea how to fix (see comment 
#16)
  - but for yet unknown reasons activity fell silent since a few months
- finding that mem hotplug is also affected bumps the priority

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1679704

Title:
  libvirt profile is blocking global setrlimit despite having no rlimit
  rule

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to