[pkg-apparmor] Bug#883703: apparmor: Feature pinning breaks mount
intrigeri
intrigeri at debian.org
Wed Dec 6 18:09:35 UTC 2017
Hi,
Felix Geyer:
> With feature pinning enabled the parser seem to not load the mount rules but the
> kernel still somewhat enforces mount mediation.
> For example starting a libvirt qemu VM fails with:
> AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/sbin/libvirtd" name="/" pid=8043 comm="libvirtd" flags="rw, rslave"
> The libvirtd profile simply has a "mount," rule.
> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
> (same problem with stretch-pu)
Ouch. We had a similar problem for network rules but I had no idea we
have one for mount rules as well (I'm running without the pinning
myself, in order to identify issues early so we can update the policy
before we bump the pinned feature set).
For sid, I think we should simply bump the pinned feature set to
4.14's: it's easier to fix policy than to deal with kernel bugs.
Cc'ing John so he's aware of this kernel bug.
For Stretch, my proposed update shall be reverted. I'll follow up on
the corresponding release.d.o bug.
:/
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list