[pkg-apparmor] Bug#883703: apparmor: Feature pinning breaks mount
John Johansen
john.johansen at canonical.com
Wed Dec 6 19:14:47 UTC 2017
On 12/06/2017 10:09 AM, intrigeri wrote:
> Hi,
>
> Felix Geyer:
>> With feature pinning enabled the parser seem to not load the mount rules but the
>> kernel still somewhat enforces mount mediation.
>
>> For example starting a libvirt qemu VM fails with:
>> AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/sbin/libvirtd" name="/" pid=8043 comm="libvirtd" flags="rw, rslave"
>
>> The libvirtd profile simply has a "mount," rule.
>
>> See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
>> (same problem with stretch-pu)
>
> Ouch. We had a similar problem for network rules but I had no idea we
> have one for mount rules as well (I'm running without the pinning
> myself, in order to identify issues early so we can update the policy
> before we bump the pinned feature set).
>
> For sid, I think we should simply bump the pinned feature set to
> 4.14's: it's easier to fix policy than to deal with kernel bugs.
> Cc'ing John so he's aware of this kernel bug.
>
> For Stretch, my proposed update shall be reverted. I'll follow up on
> the corresponding release.d.o bug.
>
Ouch sorry, I'll get a patch together for the kernel. With that said
it is possible to have a work around in the compiler so userspace
patching is possible, if we hit a need to do so to support an
existing release.
More information about the pkg-apparmor-team
mailing list