Closed mihalicyn closed 4 days ago
[13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0
That's not a bug in Apparmor. The owner
part of the rule means the fsuid
and ouid
have to be equal which they are not because QEMU tries to rename its process after it was started as a different user (uid=999
might be lxd
).
[13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0
That's not a bug in Apparmor. The
owner
part of the rule means thefsuid
andouid
have to be equal which they are not because QEMU tries to rename its process after it was started as a different user (uid=999
might belxd
).
So its a bug fix :)
@simondeziel you are right, owner of /proc/*/task/*/comm
is always root which is a bit not intuitive ;-)
That's not AppArmor bug, likely, bug was fixed in AppArmor which leads to this behavior change.
But this PR is still valid.
For some reason (bug in AppArmor?): owner @{PROC}/@{pid}/cpuset r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, rules don't work properly and forbid perfectly legal access of Qemu to proc: [13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0
I've noticed, that removing the "owner" keyword makes it work. Let's do this, despite it relaxes profile and makes things less secure, I can't really see any serious security impact from that change.
This only reproducible when core24 is used (new AppArmor) and ceph volume is attached to the VM.