Example Deny:
[  774.341606] audit: type=1400 audit(1522915593.238:42): apparmor="DENIED" 
operation="setrlimit" info="cap_sys_resource" error=-13 
profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock 
value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"

Source: libvirt
Target: qemu process libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3
Action: change rlimits

TL;DR to re-summarize:
- certain actions let libvirt change the rlimit of the qemu guest
  - such actions are memory hotplug on ppc
  - pci hotplug of some devices
- libvirtd apparmor profile allows cap_sys_resource
- there is no rlimit rule restricting that in the profile
- a bug in the kernel part of apparmor blocks this and breaks the use-case
- as prechecked by jjohansen he seems to have an idea how to fix (see comment 
  - but for yet unknown reasons activity fell silent since a few months
- finding that mem hotplug is also affected bumps the priority

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  libvirt profile is blocking global setrlimit despite having no rlimit

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to