debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06928
[Bug 2121248] Re: DENIED messages attributable to systemd-detect-virt profile appearing in AppArmor logs on Questing machines
>From some quick testing, it looks like this impacts the --container and
--private-users flags specifically. It makes the latter unusable:
root@q-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-detect-virt --container
Failed to test if in root cgroup namespace, ignoring: Permission denied
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Failed to test if in root PID namespace, ignoring: Permission denied
Found container virtualization none.
none
with denials:
[Tue Sep 9 15:22:15 2025] audit: type=1400 audit(1757431335.063:279): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1320 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Tue Sep 9 15:22:15 2025] audit: type=1400 audit(1757431335.065:280): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1320 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
root@q-vm:~# SYSTEMD_LOG_LEVEL=debug systemd-detect-virt --private-users
Failed to test if in root user namespace, ignoring: Permission denied
/proc/self/uid_map has a full 1:1 mapping
/proc/self/gid_map has a full 1:1 mapping
/proc/self/setgroups: Permission denied
Failed to check for user namespace: Permission denied
with denials:
[Tue Sep 9 15:22:58 2025] audit: type=1400 audit(1757431378.096:281): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1321 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[Tue Sep 9 15:22:58 2025] audit: type=1400 audit(1757431378.098:282): apparmor="DENIED" operation="open" class="file" profile="systemd-detect-virt" name="/proc/1321/setgroups" pid=1321 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
The disconnected path errors are weird, and sounds like an internal
apparmor issue IIRC.
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2121248
Title:
DENIED messages attributable to systemd-detect-virt profile appearing
in AppArmor logs on Questing machines
Status in apparmor package in Ubuntu:
New
Status in systemd package in Ubuntu:
New
Bug description:
CPC's daily image testing has detected DENIED messages in the AppArmor
logs of Questing machines. The messages first appeared on machines
launched from the 20250808 serial, which was the first serial to carry
version 5.0.0~alpha1-0ubuntu1 of apparmor. The messages are
attributable to the systemd-detect-virt profile, which was added to
apparmor in the aforementioned version.
The following is the complete collection of systemd-detect-virt DENIED
messages from one of the machines:
```
Aug 20 21:38:57 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725937.869:193): apparmor="DENIED" operation="capable" class="cap" profile="systemd-detect-virt" pid=1003 comm="systemd-detect-" capability=12 capname="net_admin"
Aug 20 21:38:57 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725937.869:194): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="run/systemd/journal/socket" pid=1003 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 20 21:38:57 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725937.869:195): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1003 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:38:57 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725937.889:196): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1003 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:38:57 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725937.889:197): apparmor="DENIED" operation="sendmsg" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="run/systemd/notify" pid=1003 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 20 21:38:58 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725938.996:198): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1056 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
Aug 20 21:38:58 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725938.996:199): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1056 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
Aug 20 21:39:04 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725944.369:202): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1152 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:04 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725944.398:203): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1152 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:04 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725944.398:204): apparmor="DENIED" operation="capable" class="cap" profile="systemd-detect-virt" pid=1152 comm="systemd-detect-" capability=12 capname="net_admin"
Aug 20 21:39:04 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725944.398:205): apparmor="DENIED" operation="sendmsg" class="file" profile="systemd-detect-virt" name="/run/systemd/notify" pid=1152 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.100:206): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1200 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.100:207): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1200 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.100:208): apparmor="DENIED" operation="capable" class="cap" profile="systemd-detect-virt" pid=1200 comm="systemd-detect-" capability=12 capname="net_admin"
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.100:209): apparmor="DENIED" operation="sendmsg" class="file" profile="systemd-detect-virt" name="/run/systemd/notify" pid=1200 comm="systemd-detect-" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.150:210): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1201 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:05 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725945.150:211): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1201 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:39:16 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725956.433:220): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1687 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 20 21:39:16 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755725956.433:221): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=1687 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 20 21:40:01 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755726001.340:222): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=2135 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:40:01 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755726001.340:223): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=2135 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:40:02 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755726002.082:224): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=2152 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug 20 21:40:02 alan-questing-base-mwnssgzfkn kernel: audit: type=1400 audit(1755726002.082:225): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="systemd-detect-virt" name="" pid=2152 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2121248/+subscriptions
References
