© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
For documentation purpose here an update.
I found that the last thing libvirt calls is "prlimit"
In glibc that is implemented as syscall prlimit64.
That in turn is on 64 bit:
#define __NR_prlimit64 302
According to the doc of prlimit it needs a capability:
To set or get the resources of a process other than itself, the caller must have
"the CAP_SYS_RESOURCE capability, or the real, effective, and saved set user IDs of the target process must match the real user ID of the caller and the real, effective, and saved set group IDs of the target process must match the real group ID of the caller."
But the profile already holds that with a suspicious comment above it matching my testcase:
# Needed for vfio
capability sys_resource,
Did something get more strict, maybe a mismatch on prlimit/