The attachment "lp1717714_trusty.debdiff" seems to be a debdiff.  The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1717714

Title:
  @{pid} variable broken on systems with pid_max more than 6 digits

Status in AppArmor:
  Fix Committed
Status in AppArmor 2.11 series:
  Fix Committed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  If your kernel.pid_max sysctl is set higher than the default, say at 7
  digits, the @{pid} variable no longer matches all pids, causing some
  breakage in any profile using it.

  @{pid} is defined in /etc/apparmor.d/tunables:
  
@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}

  It only covers up to 6 digits.

  This Ubuntu 17.04 system has:
  kernel.pid_max = 4194303

  And is showing 
  type=1400 audit(1505588857.828:792): apparmor="DENIED" operation="open" 
profile="libvirt-55e9e12c-e6dc-4f56-a547-8514cf7d9bf3" 
name="/proc/2168180/task/2769256/comm" pid=2168180 comm="qemu-system-x86" 
requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

  Which should be matched by
  @{PROC}/sys/vm/overcommit_memory r,
  in /etc/apparmor.d/abstractions/libvirt-qemu

  I'm seeing similar failures on 16.04 (2.10.95-0ubuntu2.7), 17.04
  (2.11.0-2ubuntu4) and 17.10 (2.11.0-2ubuntu17)

  I am aware this is a non-default configuration, but I think this
  should work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1717714/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to