simondeziel
commented
4 days ago [13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0
That's not a bug in Apparmor. The owner part of the rule means the fsuid and ouid have to be equal which they are not because QEMU tries to rename its process after it was started as a different user (uid=999 might be lxd).
tomponline
mihalicyn
For some reason (bug in AppArmor?): owner @{PROC}/@{pid}/cpuset r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, rules don't work properly and forbid perfectly legal access of Qemu to proc: [13830.493684] audit: type=1400 audit(1719481742.274:388): apparmor="DENIED" operation="open" class="file" profile="lxd-v1_</var/snap/lxd/common/lxd>" name="/proc/94213/task/94293/comm" pid=94213 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=999 ouid=0
I've noticed, that removing the "owner" keyword makes it work. Let's do this, despite it relaxes profile and makes things less secure, I can't really see any serious security impact from that change.
This only reproducible when core24 is used (new AppArmor) and ceph volume is attached to the VM.