Control: reassign -1 libvirt-daemon-system Control: retitle -1 AppArmor blocks QEMU guests access to /proc/*/cmdline Control: found -1 3.8.0-3 Control: severity -1 normal Control: tag -1 + upstream
Hi Michael, Guido & others, first of all, thanks a lot for trying AppArmor and reporting bugs, much appreciated :) I'm sorry you've hit issues caused by new AppArmor features landing in Linux mainline (which is very good news in itself but we've failed to get ready for that in Debian). I have designed a plan to avoid such situations in the future: #879584 and #879585. Michael Biebl: > Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue > for me, i.e. the libvirt instances start again. … and this is now fixed in sid too. Kudos to Guido for being so proactive both to fix such issues in libvirt upstream and to upload them to Debian — you rock! > I'm not sure whether to merge these two bug reports now, or we keep this > one open and deal with the remaining denial(s) (the severity should > probably be downgraded in this case as it doesn't seem to cause any > noticeable issues). > After updating to libvirt 3.8.0-1 I still the get following DENIAL when > shutting down a libvirt/KVM instance: >> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit: > type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open" > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 I'm hereby doing the latter, i.e. re-purposing this duplicate bug report into one that tracks this noisy denial. @Guido: I've not noticed any breakage caused by AppArmor blocking QEMU access to /proc/*/cmdline. Grepping the QEMU source code for "cmdline" outputs too many hits for a non-C person like me to investigate, so I am really clueless wrt. what the potential problems of this denial could be. Shall we silence the denial or allow it (possibly prefixed with "owner" to avoid increasing the attack surface too much)? Once we reach a conclusion here I'm happy to send a patch upstream. Cheers, -- intrigeri