[pve-devel] [PATCH container] fix #6538: apparmor: allow mqueue access

[pve-devel] [PATCH container] fix #6538: apparmor: allow mqueue access

[Wolfgang Bumiller]

With apparmor's 4.0 abi, access to posix message queues (/dev/mqueue)
does not happen just via the path anymore, there's a separate `mqueue`
class. With debian trixie we now have a 4.0 userspace, so we need to
allow this explicitly to get back to the pve-8 state.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/LXC.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index ffedcb9..741bb33 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -592,6 +592,11 @@ sub make_apparmor_config {
     # code to figure out whether we should warn the user:
 
     my $raw = "lxc.apparmor.profile = generated\n";
+
+    # We use abi/4.0 which has its own mqueue class which governs access to /dev/mqueue now.
+    # This is currently not default in lxc's profile, so we enable it explicitly.
+    $raw .= "lxc.apparmor.raw = allow mqueue,\n";
+
     my @profile_uses;
 
     if ($features->{fuse}) {
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH container] fix #6538: apparmor: allow mqueue access

[Thomas Lamprecht]

On Mon, 21 Jul 2025 17:06:55 +0200, Wolfgang Bumiller wrote:
> With apparmor's 4.0 abi, access to posix message queues (/dev/mqueue)
> does not happen just via the path anymore, there's a separate `mqueue`
> class. With debian trixie we now have a 4.0 userspace, so we need to
> allow this explicitly to get back to the pve-8 state.
> 
> 

Applied, thanks!

[1/1] fix #6538: apparmor: allow mqueue access
      commit: 0feb8bbad432ae8814607c09cb80d1755595e9cc


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel