Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Control: reassign -1 libvirt-daemon-system Control: retitle -1 AppArmor blocks QEMU guests access to /proc/*/cmdline Control: found -1 3.8.0-3 Control: severity -1 normal Control: tag -1 + upstream Hi Michael, Guido & others, first of all, thanks a lot for trying AppArmor and reporting bugs, much appreciated :) I'm sorry you've hit issues caused by new AppArmor features landing in Linux mainline (which is very good news in itself but we've failed to get ready for that in Debian). I have designed a plan to avoid such situations in the future: #879584 and #879585. Michael Biebl: > Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue > for me, i.e. the libvirt instances start again. … and this is now fixed in sid too. Kudos to Guido for being so proactive both to fix such issues in libvirt upstream and to upload them to Debian — you rock! > I'm not sure whether to merge these two bug reports now, or we keep this > one open and deal with the remaining denial(s) (the severity should > probably be downgraded in this case as it doesn't seem to cause any > noticeable issues). > After updating to libvirt 3.8.0-1 I still the get following DENIAL when > shutting down a libvirt/KVM instance: >> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit: > type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open" > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 I'm hereby doing the latter, i.e. re-purposing this duplicate bug report into one that tracks this noisy denial. @Guido: I've not noticed any breakage caused by AppArmor blocking QEMU access to /proc/*/cmdline. Grepping the QEMU source code for "cmdline" outputs too many hits for a non-C person like me to investigate, so I am really clueless wrt. what the potential problems of this denial could be. Shall we silence the denial or allow it (possibly prefixed with "owner" to avoid increasing the attack surface too much)? Once we reach a conclusion here I'm happy to send a patch upstream. Cheers, -- intrigeri
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Am 11.10.2017 um 13:06 schrieb Christian Boltz: > I noticed one denial that probably isn't covered by the upstream profile > yet: > > apparmor="DENIED" operation="open" profile="libvirt-c6ae5f8d- > e017-484d-9176-96b0e079c66d" name="/proc/726/cmdline" pid=6188 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114 > ouid=0 > > That translates to > /@{PROC}/@{pids}/cmdline r, > and should probably go into abstractions/libvirt-qemu I was pointed at https://bugs.debian.org/877926 Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue for me, i.e. the libvirt instances start again. I'm not sure whether to merge these two bug reports now, or we keep this one open and deal with the remaining denial(s) (the severity should probably be downgraded in this case as it doesn't seem to cause any noticeable issues). After updating to libvirt 3.8.0-1 I still the get following DENIAL when shutting down a libvirt/KVM instance: > 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit: type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114 ouid=0 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Hello, there were some more profile changes done - first in openSUSE [1], but AFAIK they were already upstreamed. I had a quick look at the log - most denials are fixed with the latest upstream profile, so I'd recommend to grab that one. I noticed one denial that probably isn't covered by the upstream profile yet: apparmor="DENIED" operation="open" profile="libvirt-c6ae5f8d- e017-484d-9176-96b0e079c66d" name="/proc/726/cmdline" pid=6188 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114 ouid=0 That translates to /@{PROC}/@{pids}/cmdline r, and should probably go into abstractions/libvirt-qemu Regards, Christian Boltz [1] https://bugzilla.opensuse.org/show_bug.cgi?id=1058847 and https://bugzilla.opensuse.org/show_bug.cgi?id=1060860 -- In asynchron-verteilten Umgebungen mußt Du gegen jede einzelne Regel Deiner Datenbankvorlesung verstoßen. [Kris Köhntopp] signature.asc Description: This is a digitally signed message part.