Bug#878153: marked as done (libvirt-daemon-system: frequent AppArmor denials for ptrace of some unconfined process)

[Debian Bug Tracking System]

Your message dated Thu, 12 Oct 2017 10:49:35 +0000
with message-id <e1e2b3x-000gsh...@fasolo.debian.org>
and subject line Bug#878153: fixed in libvirt 3.8.0-2
has caused the Debian Bug report #878153,
regarding libvirt-daemon-system: frequent AppArmor denials for ptrace of some 
unconfined process
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
878153: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libvirt-daemon-system
Version: 3.7.0-4
Severity: normal

In recent uses of libvirtd (I would guess the last couple of weeks) I get
frequent AppArmor denials from libvirtd attempting to trace some
unconfined process:

Oct 10 14:35:58 perpetual kernel: audit: type=1400 audit(1507642558.099:2336): 
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=14324 
comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Oct 10 14:35:58 perpetual kernel: audit: type=1400 audit(1507642558.099:2337): 
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=14324 
comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"

Unfortunately, AppArmor logs the system call that caused the denial for
some operations, but apparently not for this one; so we can't know
anything about the target process.

Some clues: I only get these when a VM is running. With one session://
VM and no system:// VMs running, I get these denials in consecutive pairs,
one pair every 3 seconds.

I believe this indicates either an actual ptrace operation, or mutating
process state by writing into /proc (which is also audited as "ptrace"
under at least some kernel versions). requested_mask="trace" indicates
that libvirtd is trying to write or change the state of some other,
unconfined process, as opposed to reading state which would be
requested_mask="read", or being traced by an unconfined process which
would be requested_mask="tracedby" or requested_mask="readby".

A workaround is to add this to the AppArmor profile (although this does
let libvirtd trace unconfined processes like for example dbus-daemon and
network-manager, which would be bad if there is meant to be a security
boundary between them):

    ptrace peer=unconfined,

This might be 
https://www.redhat.com/archives/libvir-list/2017-September/msg00546.html
in which case it's fixed in 3.8.0. If so, I'll close this when I've
upgraded.

Regards,
    smcv

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 
'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.116
ii  debconf              1.5.63
ii  firewalld            0.4.4.5-2
ii  gettext-base         0.19.8.1-4
ii  init-system-helpers  1.49
ii  iptables             1.6.1-2
ii  libacl1              2.2.52-3+b1
ii  libapparmor1         2.11.0-11
ii  libaudit1            1:2.7.8-1
ii  libblkid1            2.30.2-0.1
ii  libc6                2.24-17
ii  libcap-ng0           0.7.7-3.1
ii  libdbus-1-3          1.11.20-1
ii  libdevmapper1.02.1   2:1.02.142-1
ii  libnl-3-200          3.2.27-2
ii  libnl-route-3-200    3.2.27-2
ii  libnuma1             2.0.11-2.1
ii  libselinux1          2.7-2
ii  libvirt-clients      3.7.0-4
ii  libvirt-daemon       3.7.0-4
ii  libvirt0             3.7.0-4
ii  libxml2              2.9.4+dfsg1-4
ii  libyajl2             2.1.0-2+b3
ii  logrotate            3.11.0-0.1
ii  lsb-base             9.20170808
ii  policykit-1          0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-14
ii  dmidecode     3.1-1
ii  dnsmasq-base  2.78-1
ii  ebtables      2.0.10.4-3.5+b1
ii  iproute2      4.9.0-2
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-11
pn  auditd      <none>
pn  nfs-common  <none>
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     234-3
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/default/libvirt-guests changed [not included]
/etc/libvirt/libvirtd.conf changed [not included]
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permission denied: 
'/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permission denied: 
'/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true

--- End Message ---

--- Begin Message ---

Source: libvirt
Source-Version: 3.8.0-2

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <a...@sigxcpu.org> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Oct 2017 10:27:25 +0200
Source: libvirt
Binary: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-gluster 
libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-sheepdog 
libvirt-daemon-driver-storage-zfs libvirt-daemon-system libvirt0 libvirt-doc 
libvirt-dev libvirt-sanlock libnss-libvirt libvirt-wireshark
Architecture: source
Version: 3.8.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers 
<pkg-libvirt-maintain...@lists.alioth.debian.org>
Changed-By: Guido Günther <a...@sigxcpu.org>
Description:
 libnss-libvirt - nss plugin providing IP add ress resolution for virtual 
machines
 libvirt-clients - Programs for the libvirt library
 libvirt-daemon - Virtualization daemon
 libvirt-daemon-driver-storage-gluster - Virtualization daemon glusterfs 
storage driver
 libvirt-daemon-driver-storage-rbd - Virtualization daemon RBD storage driver
 libvirt-daemon-driver-storage-sheepdog - Virtualization daemon Sheedog storage 
driver
 libvirt-daemon-driver-storage-zfs - Virtualization daemon ZFS storage driver
 libvirt-daemon-system - Libvirt daemon configuration files
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt-sanlock - Sanlock plugin for virtlockd
 libvirt-wireshark - Wireshark dissector for the libvirt protocol
 libvirt0   - library for interfacing with different virtualization systems
Closes: 878153
Changes:
 libvirt (3.8.0-2) unstable; urgency=medium
 .
   * Upload to unstable
     Closes: #878153
   * [646a20f] apparmor: add dnsmasq ptrace rule to libvirtd profile
Checksums-Sha1:
 2736e7249e45e63754002bff094402a2933a8ca6 4745 libvirt_3.8.0-2.dsc
 bdb4c7199f676c0b3ba7a39f5853e94eb321768f 67992 libvirt_3.8.0-2.debian.tar.xz
 9b7ce9a1de2ce0b9be3799d915f28fde126c8a9f 19954 libvirt_3.8.0-2_amd64.buildinfo
Checksums-Sha256:
 704dd40a6d76bb28cf65f75b9f1ac80b01c3bad6a2130c5783c34098876a37c8 4745 
libvirt_3.8.0-2.dsc
 7314674ba7263f649f3a902f669bc828230de113d98a6babb1e3522f00064392 67992 
libvirt_3.8.0-2.debian.tar.xz
 242e3f2e5c96d1dfbd4cf37cd729d3a0eef9675f1a56295c044926f9e93fb733 19954 
libvirt_3.8.0-2_amd64.buildinfo
Files:
 b1f3789697c886ac1656ac9dc3f9713c 4745 libs optional libvirt_3.8.0-2.dsc
 a907d318d0d78996da711ef745fe3589 67992 libs optional 
libvirt_3.8.0-2.debian.tar.xz
 aef3532337467c8b8ca7019215c12a7c 19954 libs optional 
libvirt_3.8.0-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEvHzQcjh1660F3xzZB7i3sOqYEgsFAlnfRZUACgkQB7i3sOqY
Egu2kg/+JsZaEjplUn7Xeu76S2KtyS2zNEHWgbzUwwjY72JSYK+UIQX39PRDXp9h
kF1kvzkFsnT7hFFfzr+ky1Vp0wcS085IC+9gCso3gztQsGUjOzRIaa6D+Kdv5vIY
XHXwODMrxcnPxJZeWCgpkVwMYDsGM25SMdQ64q/t3lC/mprzXnrSVKtPyulqboVT
MphTRTc7+W1uSt0O5uNNKeCoir6L+h0+zFDBAuCU+4ThtCueSqGk69gNzbY4kj90
JZA/pAuxKa2m7s5Pi1i5rooF8EQ42FRxi64vAJTJZDvzpr9jHU+8hvX7ynRhgVMx
t0zALZ4hY56FOshyQ0ILV+9lxdoZfE2BZL+PcD/62NO4WJ7SIeRHvwlWlJscUmgo
X9ia/KAu2k1GRlQYxFPdCvKMk3rMm+Iy3r2D5UkLu6Gku3RHUucCG6GzcWPsKDg+
GGf3Wsxc7sY4R6+iR3Tu8qeyy6GGbbU49OrTBP4YKa0yFW//I2vfdPiJX1yEECue
LxrNVINlIqZFTJSmjq27zMKLKS7fVXCpNMDeSOZfiZ6E3Dw3DM+0z7WAuljV9jSr
Mc8XlJsfwt9/y7WDUlugJV8Ith9WsFgK5zl77sAetDRoBC3brHoWiiojcr44kUwT
r/v4CcFYzgwsPLQt4jboaKiiC01i0Ki155Ts4e8OotZQ0cy1zUQ=
=rf0p
-----END PGP SIGNATURE-----

--- End Message ---