If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor.d/tunables:
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing
type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
Which should be matched by
@{PROC}/sys/vm/overcommit_memory r,
in /etc/apparmor.d/abstractions/libvirt-qemu
I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work.
If your kernel.pid_max sysctl is set higher than the default, say at 7 digits, the @{pid} variable no longer matches all pids, causing some breakage in any profile using it.
@{pid} is defined in /etc/apparmor. d/tunables: {[1-9], [1-9][0- 9],[1-9] [0-9][0- 9],[1-9] [0-9][0- 9][0-9] ,[1-9][ 0-9][0- 9][0-9] [0-9],[ 1-9][0- 9][0-9] [0-9][0- 9][0-9] }
@{pid}=
It only covers up to 6 digits.
This Ubuntu 17.04 system has:
kernel.pid_max = 4194303
And is showing 7.828:792) : apparmor="DENIED" operation="open" profile= "libvirt- 55e9e12c- e6dc-4f56- a547-8514cf7d9b f3" name="/ proc/2168180/ task/2769256/ comm" pid=2168180 comm="qemu- system- x86" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111
type=1400 audit(150558885
Which should be matched by /sys/vm/ overcommit_ memory r, d/abstractions/ libvirt- qemu
@{PROC}
in /etc/apparmor.
I'm seeing similar failures on 16.04 (2.10.95- 0ubuntu2. 7), 17.04 (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)
I am aware this is a non-default configuration, but I think this should work.