Comment 0 for bug 1717714

Andre Tomt (andre-tomt) wrote :

If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.

@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

It only covers up to 6 digits.

This Ubuntu 17.04 system has:
kernel.pid_max = 4194303

And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu

I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

I am aware this is a non-default configuration, but I think this should work.