Ubuntu
linux package

  1. Bug #1788603
  2. Comment #1

Comment 1 for bug 1788603

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

So, investigated this into an apparmor difference between 4.17 and 4.18. This is due to commit 338d0be437ef10e247a35aed83dbab182cf406a2 ("apparmor: fix ptrace read check").

libvirtd here is using only trace, and not read. The patch below for libvirtd apparmor policy fixes it for me.

--- /etc/apparmor.d/usr.sbin.libvirtd 2018-08-23 14:52:04.574252908 -0300
+++ ../usr.sbin.libvirtd 2018-08-23 14:51:46.773728841 -0300
@@ -50,10 +50,10 @@
   # for --p2p migrations
   unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),

- ptrace (trace) peer=unconfined,
- ptrace (trace) peer=/usr/sbin/libvirtd,
- ptrace (trace) peer=/usr/sbin/dnsmasq,
- ptrace (trace) peer=libvirt-*,
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,

   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,