Can't mmap /dev/zero

Hi there, I’ve got an application that mmap’d /dev/zero. This isn’t particularly an insecure operation, all the application needs is some zero’d pages. However, the operation is being denied.

audit: type=1400 audit(1542964976.932:3722): apparmor=“DENIED” operation=“file_mmap” profile=“snap.e820-bios.e820-bios” name="/dev/zero" pid=2876 comm=“e820-bios” requested_mask=“m” denied_mask=“m” fsuid=0 ouid=0

Any ideas how to solve this?

Is the code under your control? If so, could you modify it to use the MAP_ANONYMOUS flag instead? That avoids the need to open /dev/zero, and should work with the current policy.

This code is not under my control, it’s from libx86

I suspect that the binary or a library it uses has an executable stack: Snap and executable stacks