libvirt profile is blocking global setrlimit despite having no rlimit rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Ubuntu-power-systems project |
Fix Released
|
Critical
|
Canonical Security Team | ||
apparmor (Ubuntu) |
Fix Released
|
Critical
|
John Johansen |
Bug Description
Hi,
while debugging bug 1678322 I was running along apparmor issues.
Thanks to jjohansen we debugged some of it and eventually I was asked to report to a bug.
Symptom:
[ 8976.950635] audit: type=1400 audit(149131001
But none of the profiles has any rlimit statement in it:
$ grep -Hirn limit /etc/apparmor*
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
/etc/apparmor.
The profile contains a child profile which makes reading the dumps a bit painful, but I'll attach them anyway for you to take a look.
To "recreate" if needed check out bug 1678322 - TL;DR hot-add some VFs via libvirt.
tags: | added: ppc64el |
Changed in ubuntu-power-systems: | |
importance: | Undecided → Critical |
status: | New → In Progress |
Changed in ubuntu-power-systems: | |
assignee: | nobody → Canonical Security Team (canonical-security) |
tags: |
added: severity-critical removed: severity-high |
tags: | added: triage-a |
Changed in apparmor (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-power-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-power-systems: | |
status: | Fix Committed → Fix Released |
The profiles and all the rest of the system is default zesty without modifications.