[pkg-apparmor] Bug#883703: apparmor: Feature pinning breaks mount
Felix Geyer
fgeyer at debian.org
Wed Dec 6 16:47:02 UTC 2017
Package: apparmor
Version: 2.11.1-1
Severity: important
Feature pinning breaks mount() of confined processes with kernel 4.14.
With feature pinning enabled the parser seem to not load the mount rules but the
kernel still somewhat enforces mount mediation.
For example starting a libvirt qemu VM fails with:
AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/sbin/libvirtd" name="/" pid=8043 comm="libvirtd" flags="rw, rslave"
The libvirtd profile simply has a "mount," rule.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
(same problem with stretch-pu)
Disable the features-file option in /etc/apparmor/parser.conf works around the problem.
Felix
More information about the pkg-apparmor-team
mailing list