[Pkg-libvirt-maintainers] Bug#1076946: libvirt-daemon-system: Apparmor prevents /proc/sys/vm/max_map_count to be read
Martin Pitt
mpitt at debian.org
Tue Aug 13 04:59:38 BST 2024
Control: tag -1 confirmed
Laurent Bigonville [2024-07-24 15:39 +0200]:
> type=AVC msg=audit(1721828131.241:1176): apparmor="DENIED" operation="open" class="file" profile="libvirt-6fde45f5-ff7e-4277-87b9-123a8aa30c7e" name="/proc/sys/vm/max_map_count" pid=149623 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0^]FSUID="libvirt-qemu" OUID="root"
We see the same in cockpit. Our latest Debian testing VM image refresh [1] now
runs into this denial a lot [2].
However, the image log has the list of updated packages (at the bottom of [3]),
and the most plausible one is
libvirt-daemon (10.5.0-1 -> 10.6.0-1)
and we have NOT seen this with 10.5.0-1 on our previous image. As Laurent
reported it against that version, then perhaps the change wasn't in libvirt,
but in either of
qemu-system-x86 (1:8.2.4+ds-1 -> 1:9.0.2+ds-2+b1)
linux-image-cloud-amd64 (6.9.12-1 -> 6.10.3-1)
(the other package updates are implausible).
Note: This does not actually break the test in the sense of
"cockpit-machines/libvirt fails", it just triggers this AppArmor noise.
Thanks,
Martin
[1] https://github.com/cockpit-project/bots/pull/6730
[2] https://cockpit-logs.us-east-1.linodeobjects.com/pull-6730-54fd8f07-20240812-225340-debian-testing-cockpit-project-cockpit-machines/log.html
[3] https://cockpit-logs.us-east-1.linodeobjects.com/image-refresh-debian-testing-314032a6-20240812-223906/log.html
More information about the Pkg-libvirt-maintainers
mailing list