[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

Mon, 14 Nov 2022 23:41:02 -0800 

Hi Marius,

> What actually is the effect of the denial? Will qemu not use more than one 
> CPU, 
> or is it something less harmful?

Since the new interface is arch specific and new the code does fall back
tot he old way.

  226 /* On some architectures it is possible to distinguish between configured 
       
  227    and active cpus.  */                                                   
       
  228 int                                                                       
       
  229 __get_nprocs_conf (void)                                                  
       
  230 {                                                                         
       
  231   int result = read_sysfs_file ("/sys/devices/system/cpu/possible");      
       
  232   if (result != 0)                                                        
       
  233     return result;                                                        
       
  234                                                                           
       
  235   /* Fall back to /proc/stat and sched_getaffinity.  */                   
       
  236   return get_nprocs_fallback ();                                          
       
  237 }   

Due to that, even when denied it gets the right number (as it had
before).

Once with and without isolation blocking access.

ubuntu@k2:/tmp$ ./testsysconf 
_SC_NPROCESSORS_CONF 3

ubuntu@k2:/tmp$ sudo aa-exec -p test -- ./testsysconf
_SC_NPROCESSORS_CONF 3

It only has a real difference on systems where the new code was needed in the 
first place.
Those are usually rather massive systems which start at lower cpu counts but 
might hot-plug them later - on those with the denial falling back you'd only 
get a lower than the real potential max number.
The code that hits this in your case is libnuma on initialization, unless you 
are very deep into numa control on very huge systems using cpu hotplug you 
won't see any effect.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to