That is the commit causing the change [1] in behavior.
That is pretty low level (in libc6) and will probably hit anything that
links against libnuma.
I think the fix should therefore go into
/etc/apparmor.d/abstractions/base
Today it has:
# glibc's sysconf(3) routine to determine free memory, etc
@{PROC}/meminfo r,
@{PROC}/stat r,
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
And due to [1] I think this needs to get:
@{sys}/devices/system/cpu/possible r,
That is still missing in upstreams [2] current base profile.
Gladly it isn't too fatal, but still bad.
Retargetting this to the apparmor package.
[1]: https://sourceware.org/git/?p=glibc.git;a=commit;h=97a912f7a832a6
[2]:
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/base#L98
** Package changed: libvirt (Ubuntu) => apparmor (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073
Title:
AppArmor DENIES reading of /sys/devices/system/cpu/possible
Status in apparmor package in Ubuntu:
Confirmed
Status in apparmor source package in Kinetic:
Confirmed
Bug description:
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
Creating a VM with virt-install produces this AppAmore denial:
AVC apparmor="DENIED" operation="open"
profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Creation of the VM is successful. This is with nested virtualization.
This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
3.0.7-1ubuntu1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
