Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, Guido Günther wrote (21 Aug 2015 13:33:50 GMT) : On Fri, Aug 21, 2015 at 11:12:33AM +0200, intrigeri wrote: The path I would prefer is: submit an updated debdiff that does not contain these bonus deny rules. I could prepare it if we agree on that, assuming the current state of this stable pu is in Vcs-Git. But if someone else disagrees and prefers to argue in favour of including these changes in the stable pu, feel free to do so :) I'm fine with this as well. The debian/jessie branch on alioth is up to date. The attached patches, applied on top of debian/jessie, modify 1.2.9-9+deb8u1 as discussed (I don't have commit rights to the Vcs-Git, so I'll let Guido apply them). Once the Git repo is up-to-date, I'll send an updated debdiff to the release team. Cheers, -- intrigeri From c852ab76bbc21f49e16efaf49f916c39b69f Mon Sep 17 00:00:00 2001 From: intrigeri intrig...@debian.org Date: Mon, 24 Aug 2015 09:05:39 + Subject: [PATCH 1/2] Allow-access-to-libnl-3-config-files.patch: revert changes that are unrelated to the bug this patch is meant to fix. These bonus changes should be harmless, but it's not obvious that they qualify for a stable update. --- .../patches/Allow-access-to-libnl-3-config-files.patch | 16 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/debian/patches/Allow-access-to-libnl-3-config-files.patch b/debian/patches/Allow-access-to-libnl-3-config-files.patch index 6932e41..58043a6 100644 --- a/debian/patches/Allow-access-to-libnl-3-config-files.patch +++ b/debian/patches/Allow-access-to-libnl-3-config-files.patch @@ -4,14 +4,14 @@ Subject: Allow access to libnl-3 config files Closes: #786650 --- - examples/apparmor/usr.lib.libvirt.virt-aa-helper | 7 +++ - 1 file changed, 7 insertions(+) + examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper -index bceaaff..60739d0 100644 +index bceaaff..a3c9938 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper -@@ -16,9 +16,16 @@ +@@ -16,6 +16,8 @@ owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, @@ -20,11 +20,3 @@ index bceaaff..60739d0 100644 # for hostdev /sys/devices/ r, /sys/devices/** r, -+ deny /dev/sd* r, -+ deny /dev/vd* r, -+ deny /dev/dm-* r, -+ deny /dev/mapper/ r, -+ deny /dev/mapper/* r, - - /usr/lib/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, -- 2.5.0 From 9219fe45e161e495432ebe9fad0db3b21a788561 Mon Sep 17 00:00:00 2001 From: intrigeri intrig...@debian.org Date: Mon, 24 Aug 2015 09:08:28 + Subject: [PATCH 2/2] Document more changes for 1.2.9-9+deb8u1. --- debian/changelog | 4 1 file changed, 4 insertions(+) diff --git a/debian/changelog b/debian/changelog index 5c79c12..36eabe4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,10 @@ libvirt (1.2.9-9+deb8u1) jessie; urgency=medium [ Felix Geyer ] * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652) + [ intrigeri ] + * Allow-access-to-libnl-3-config-files.patch: revert changes that are +unrelated to the bug this patch is meant to fix. + [ Daniel P. Berrange ] * [afae69a] Report original error when QMP probing fails with new QEMU (Closes: #780093) -- 2.5.0
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, On Mon, Aug 24, 2015 at 11:12:33AM +0200, intrigeri wrote: Hi, Guido Günther wrote (21 Aug 2015 13:33:50 GMT) : On Fri, Aug 21, 2015 at 11:12:33AM +0200, intrigeri wrote: The path I would prefer is: submit an updated debdiff that does not contain these bonus deny rules. I could prepare it if we agree on that, assuming the current state of this stable pu is in Vcs-Git. But if someone else disagrees and prefers to argue in favour of including these changes in the stable pu, feel free to do so :) I'm fine with this as well. The debian/jessie branch on alioth is up to date. The attached patches, applied on top of debian/jessie, modify 1.2.9-9+deb8u1 as discussed (I don't have commit rights to the Vcs-Git, so I'll let Guido apply them). Once the Git repo is up-to-date, I'll send an updated debdiff to the release team. Pushed to git, thanks! -- Guido
Bug#786650: virt-aa-helper: incomplete apparmor profile
intrigeri wrote (24 Aug 2015 09:12:33 GMT) : Once the Git repo is up-to-date, I'll send an updated debdiff to the release team. Done.
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, On Fri, Aug 21, 2015 at 11:12:33AM +0200, intrigeri wrote: Hi, Guido Günther wrote (21 Aug 2015 08:37:53 GMT) : On Fri, Aug 21, 2015 at 09:08:46AM +0200, intrigeri wrote: Felix Geyer wrote (20 Aug 2015 09:18:59 GMT) : The deny rules aren't strictly necessary but they silence those (harmless) denials. Thanks for the clarification. I don't think that silencing harmless denials qualifies for a stable pu. Great. Can one of you add this to #796088 - I did but it might make sense if somebody with more apparmor skills does. The path I would prefer is: submit an updated debdiff that does not contain these bonus deny rules. I could prepare it if we agree on that, assuming the current state of this stable pu is in Vcs-Git. But if someone else disagrees and prefers to argue in favour of including these changes in the stable pu, feel free to do so :) I'm fine with this as well. The debian/jessie branch on alioth is up to date. Cheers, -- Guido
Bug#786650: virt-aa-helper: incomplete apparmor profile
Felix Geyer wrote (20 Aug 2015 09:18:59 GMT) : The deny rules aren't strictly necessary but they silence those (harmless) denials. Thanks for the clarification. I don't think that silencing harmless denials qualifies for a stable pu. I'm not quite sure why virt-aa-helper opens the devices in the first place. We need to look into how to push this upstream. Through modifying the helper or the profile. I've been pushing Stefan Bader to upstream Ubuntu's improvements to the libvirt profiles for ~1 year. Patches were sent upstream, but last time I checked the package FTBFS'ed once they were applies (some autoconf issue IIRC). Cheers, -- intrigeri
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, Guido Günther wrote (21 Aug 2015 08:37:53 GMT) : On Fri, Aug 21, 2015 at 09:08:46AM +0200, intrigeri wrote: Felix Geyer wrote (20 Aug 2015 09:18:59 GMT) : The deny rules aren't strictly necessary but they silence those (harmless) denials. Thanks for the clarification. I don't think that silencing harmless denials qualifies for a stable pu. Great. Can one of you add this to #796088 - I did but it might make sense if somebody with more apparmor skills does. The path I would prefer is: submit an updated debdiff that does not contain these bonus deny rules. I could prepare it if we agree on that, assuming the current state of this stable pu is in Vcs-Git. But if someone else disagrees and prefers to argue in favour of including these changes in the stable pu, feel free to do so :) Cheers, -- intrigeri
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, On Fri, Aug 21, 2015 at 09:08:46AM +0200, intrigeri wrote: Felix Geyer wrote (20 Aug 2015 09:18:59 GMT) : The deny rules aren't strictly necessary but they silence those (harmless) denials. Thanks for the clarification. I don't think that silencing harmless denials qualifies for a stable pu. Great. Can one of you add this to #796088 - I did but it might make sense if somebody with more apparmor skills does. I'm not quite sure why virt-aa-helper opens the devices in the first place. We need to look into how to push this upstream. Through modifying the helper or the profile. I've been pushing Stefan Bader to upstream Ubuntu's improvements to the libvirt profiles for ~1 year. Patches were sent upstream, but last time I checked the package FTBFS'ed once they were applies (some autoconf issue IIRC). It'd be happy to have a look, ideally if we can feed it in small pieces with knowing what it fixes. Currently looking at the OVMF fix. Cheers, -- Guido
Bug#786650: virt-aa-helper: incomplete apparmor profile
Guido Günther wrote (19 Aug 2015 16:56:46 GMT) : # for hostdev /sys/devices/ r, /sys/devices/** r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, ...what is this for? We don't have this hunk upstream either. It apparently comes from the Ubuntu delta. I'll try to bzr branch https://code.launchpad.net/~ubuntu-branches/ubuntu/wily/libvirt/wily later (likely not today) and see if there's an explanation in there. Felix or anyone else, feel free to be faster than me :) Cheers, -- intrigeri
Bug#786650: virt-aa-helper: incomplete apparmor profile
On 20.08.2015 09:54, intrigeri wrote: Guido Günther wrote (19 Aug 2015 16:56:46 GMT) : # for hostdev /sys/devices/ r, /sys/devices/** r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, ...what is this for? We don't have this hunk upstream either. It apparently comes from the Ubuntu delta. I'll try to bzr branch https://code.launchpad.net/~ubuntu-branches/ubuntu/wily/libvirt/wily later (likely not today) and see if there's an explanation in there. Felix or anyone else, feel free to be faster than me :) That bzr tree hasn't been updated in a long while. The deny rules aren't strictly necessary but they silence those (harmless) denials. I'm not quite sure why virt-aa-helper opens the devices in the first place. We need to look into how to push this upstream. Through modifying the helper or the profile. Cheers, Felix
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, The release team (righfully asked) On Fri, Jun 12, 2015 at 10:17:49PM +0200, Felix Geyer wrote: [..snip..] --- libvirt-1.2.16.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ libvirt-1.2.16/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -16,9 +16,16 @@ profile virt-aa-helper /usr/{lib,lib64}/ owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, + /etc/libnl-3/classid r, + While this is needed... # for hostdev /sys/devices/ r, /sys/devices/** r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, ...what is this for? We don't have this hunk upstream either. Cheers, -- Guido
Bug#786650: [Pkg-libvirt-maintainers] Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, Guido Günther wrote (13 Jun 2015 11:09:36 GMT) : Thanks. In case anybody wants to test this: http://honk.sigxcpu.org/projects/libvirt/snapshots/ I've applied these changes to usr.lib.libvirt.virt-aa-helper locally (current sid modulo gcc-5 transition), reloaded that profile, restarted AppArmor, and indeed that denial disappeared from the logs (unsurprisingly). Should I apply and push to the debian/sid branch in Vcs-Git? Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#786650: [Pkg-libvirt-maintainers] Bug#786650: Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, On Tue, Aug 11, 2015 at 09:04:35PM +0200, intrigeri wrote: Hi, Guido Günther wrote (13 Jun 2015 11:09:36 GMT) : Thanks. In case anybody wants to test this: http://honk.sigxcpu.org/projects/libvirt/snapshots/ I've applied these changes to usr.lib.libvirt.virt-aa-helper locally (current sid modulo gcc-5 transition), reloaded that profile, restarted AppArmor, and indeed that denial disappeared from the logs (unsurprisingly). Should I apply and push to the debian/sid branch in Vcs-Git? Thanks for testing. This will be part of the upcoming upload (and Vcs-Git) in a couple of hours. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#786650: [Pkg-libvirt-maintainers] Bug#786650: virt-aa-helper: incomplete apparmor profile
On Fri, Jun 12, 2015 at 10:17:49PM +0200, Felix Geyer wrote: Hi, On Sun, 24 May 2015 16:51:27 + Luke Faraone lfara...@debian.org wrote: On Sun, 2015-05-24 at 09:43 +0200, Guido Günther wrote: Hi, thanks for the patch. On Sun, May 24, 2015 at 12:14:48AM +, Luke Faraone wrote: [..snip..] --- usr.lib.libvirt.virt-aa-helper 2015-05-23 23:43:44.751750819 + +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 2015-05-24 00:03:13.039766331 + @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include tunables/global -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { Is that one needed as well or is it rather a debugging leftover? Oops, you're right, this was just for debugging. Sorry about that. I think the problems you are seeing are entirely because of bug #786652. These denials should be harmless therefore I propose the attached patch. This is also aligned with what Ubuntu does in their virt-aa-helper profile. Thanks. In case anybody wants to test this: http://honk.sigxcpu.org/projects/libvirt/snapshots/ has these changes applied. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, On Sun, 24 May 2015 16:51:27 + Luke Faraone lfara...@debian.org wrote: On Sun, 2015-05-24 at 09:43 +0200, Guido Günther wrote: Hi, thanks for the patch. On Sun, May 24, 2015 at 12:14:48AM +, Luke Faraone wrote: [..snip..] --- usr.lib.libvirt.virt-aa-helper2015-05-23 23:43:44.751750819 + +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper2015-05-24 00:03:13.039766331 + @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include tunables/global -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { Is that one needed as well or is it rather a debugging leftover? Oops, you're right, this was just for debugging. Sorry about that. I think the problems you are seeing are entirely because of bug #786652. These denials should be harmless therefore I propose the attached patch. This is also aligned with what Ubuntu does in their virt-aa-helper profile. Cheers, Felix --- libvirt-1.2.16.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ libvirt-1.2.16/examples/apparmor/usr.lib.libvirt.virt-aa-helper @@ -16,9 +16,16 @@ profile virt-aa-helper /usr/{lib,lib64}/ owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, + /etc/libnl-3/classid r, + # for hostdev /sys/devices/ r, /sys/devices/** r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, /usr/{lib,lib64}/libvirt/virt-aa-helper mr, /sbin/apparmor_parser Ux,
Bug#786650: virt-aa-helper: incomplete apparmor profile
On Sun, 2015-05-24 at 09:43 +0200, Guido Günther wrote: Hi, thanks for the patch. On Sun, May 24, 2015 at 12:14:48AM +, Luke Faraone wrote: [..snip..] --- usr.lib.libvirt.virt-aa-helper 2015-05-23 23:43:44.751750819 + +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 2015-05-24 00:03:13.039766331 + @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include tunables/global -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { Is that one needed as well or is it rather a debugging leftover? Oops, you're right, this was just for debugging. Sorry about that. signature.asc Description: This is a digitally signed message part
Bug#786650: virt-aa-helper: incomplete apparmor profile
Hi, thanks for the patch. On Sun, May 24, 2015 at 12:14:48AM +, Luke Faraone wrote: [..snip..] --- usr.lib.libvirt.virt-aa-helper2015-05-23 23:43:44.751750819 + +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper2015-05-24 00:03:13.039766331 + @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include tunables/global -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { Is that one needed as well or is it rather a debugging leftover? Cheers, -- Guido #include abstractions/base # needed for searching directories @@ -25,6 +25,7 @@ /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + /etc/libnl-3/classid r, # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools @@ -45,4 +46,5 @@ /**.vmdk r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/dm* r, } -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#786650: virt-aa-helper: incomplete apparmor profile
Package: libvirt-daemon-system Version: 1.2.9-9 Severity: normal File: /etc/apparmor.d/libvirt/TEMPLATE.qemu Tags: patch On attempting to create a new virtual machine with KVM: May 23 23:26:39 aqua kernel: [ 318.993668] audit: type=1400 audit(1432423599.343:63): apparmor=DENIED operation=open profile=/usr/lib/libvirt/virt-aa-helper name=/etc/libnl-3/classid pid=2499 comm=virt-aa-helper requested_mask=r denied_mask=r fsuid=0 ouid=0 May 23 23:26:39 aqua kernel: [ 318.995946] audit: type=1400 audit(1432423599.343:64): apparmor=DENIED operation=open profile=/usr/lib/libvirt/virt-aa-helper name=/dev/dm-7 pid=2499 comm=virt- aa-helper requested_mask=r denied_mask=r fsuid=0 ouid=0 May 23 23:26:39 aqua libvirtd[1130]: internal error: cannot load AppArmor profile 'libvirt-68bf0174-32b3-498e-b55d-80fdc2b5fee9' This can be solved by applying the attached patch to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper -- System Information: Debian Release: 8.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libvirt-daemon-system depends on: ii adduser 3.113+nmu3 ii gettext-base 0.19.3-2 ii init-system-helpers 1.22 ii libapparmor1 2.9.0-3 ii libaudit11:2.4-1+b1 ii libavahi-client3 0.6.31-5 ii libavahi-common3 0.6.31-5 ii libblkid12.25.2-6 ii libc62.19-18 ii libcap-ng0 0.7.4-2 ii libdbus-1-3 1.8.16-1 ii libdevmapper1.02.1 2:1.02.90-2.2 ii libgnutls-deb0-283.3.8-6 ii libnl-3-200 3.2.24-2 ii libnl-route-3-2003.2.24-2 ii libnuma1 2.0.10-1 ii librados20.80.7-2 ii librbd1 0.80.7-2 ii libsasl2-2 2.1.26.dfsg1-13 ii libselinux1 2.3-2 ii libssh2-11.4.3-4.1 ii libsystemd0 215-17 ii libvirt-clients 1.2.9-9 ii libvirt-daemon 1.2.9-9 ii libvirt0 1.2.9-9 ii libxml2 2.9.1+dfsg1-5 ii libyajl2 2.1.0-2 ii logrotate3.8.7-1+b1 ii policykit-1 0.105-8 Versions of packages libvirt-daemon-system recommends: ii bridge-utils 1.5-9 ii dmidecode 2.12-3 ii dnsmasq-base 2.72-3+deb8u1 ii ebtables 2.0.10.4-3 ii iproute2 3.16.0-2 ii iptables 1.4.21-2+b1 ii parted3.2-7 ii pm-utils 1.4.1-15 Versions of packages libvirt-daemon-system suggests: ii apparmor 2.9.0-3 pn auditd none pn radvd none ii systemd215-17 pn systemtap none --- usr.lib.libvirt.virt-aa-helper 2015-05-23 23:43:44.751750819 + +++ /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper 2015-05-24 00:03:13.039766331 + @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 5 15:10:27 2010 #include tunables/global -/usr/lib/libvirt/virt-aa-helper { +/usr/lib/libvirt/virt-aa-helper flags=(complain) { #include abstractions/base # needed for searching directories @@ -25,6 +25,7 @@ /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + /etc/libnl-3/classid r, # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools @@ -45,4 +46,5 @@ /**.vmdk r, /**.[iI][sS][oO] r, /**/disk{,.*} r, + /dev/dm* r, }