Control: reassign -1 apparmor
Control: affects -1 libvirt-daemon
Dear apparmor maintainers,
On Fri, Nov 13, 2015 at 09:32:15AM +0000, Carlo Rengo wrote:
> Package: libvirt-client
> Version: 1.2.21-1
> Severity: serious
>
> Dear Maintainer,
>
> Running “virsh attach-disk <domain> <source> <target>” with AppArmor enabled
> and
> the domain confined in enforce mode gives this error:
>
> root@host:~# virsh attach-disk debian8
> /var/lib/libvirt/images/disk_to_attach.img vdd
> error: Failed to attach disk
> error: internal error: unable to execute QEMU command 'device_add': Property
> 'virtio-blk-device.drive' can't find value 'drive-virtio-disk3'
>
> From journal:
>
> audit: type=1400 audit(1447406591.802:2015): apparmor="STATUS"
> operation="profile_replace"
> name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57268
> comm="apparmor_parser"
> audit: type=1400 audit(1447406591.862:2016): apparmor="STATUS"
> operation="profile_replace" name="qemu_bridge_helper" pid=57268
> comm="apparmor_parser"
> audit: type=1400 audit(1447406591.892:2017): apparmor="DENIED"
> operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12"
> name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> audit: type=1400 audit(1447406591.952:2018): apparmor="DENIED"
> operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12"
> name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm"
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> audit: type=1400 audit(1447406592.002:2019): apparmor="DENIED"
> operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12"
> name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm"
> requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
> audit: type=1400 audit(1447406592.262:2020): apparmor="STATUS"
> operation="profile_replace"
> name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57270
> comm="apparmor_parser"
> audit: type=1400 audit(1447406592.342:2021): apparmor="STATUS"
> operation="profile_replace" name="qemu_bridge_helper" pid=57270
> comm=“apparmor_parser"
>
> When putting the domain in complain/disabled mode, the error keeps showing up
> until
> the domain is destroyed/recreated or saved/restored.
I can confirm this (see below).
>
> This errors appears with libvirt from debian stable, debian testing and from
> a compiled
> version of the source. Ubuntu 15.10 is not affected by this bug.
I think this issue is not within in libvirt but related to apparmor not
correctly refreshing the profiles of running processes. As outlined in
#826218 I can reproduce this without having virt-aa-helper in the game
(by changing the profile on disk and reloading it into the kernel via
apparmor_parser -r). Can be reproduced via:
echo "/var/lib/libvirt/images/powerpc.img rw," >>
/etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a.files
chmod u+rw /var/lib/libvirt/images/powerpc.img
chown libvirt-qemu: /var/lib/libvirt/images/powerpc.img
/sbin/apparmor_parser -r
/etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a
virsh qemu-monitor-command wheezy --pretty --cmd
'{"execute":"human-monitor-command","arguments":{"command-line":"drive_add
dummy file=/var/li
I have also observed that aa-{disable,complain} dont affect running VMs
but this might just an omission in the documentation.
I'm happy to help debug this further but would be glad to see if I'm
going into the right direction.
Cheers,
-- Guido
