Bug#878203: AA breaks libvirt when running with kernel 4.13
Control: tag -1 patch -unreproducible Michael Biebl [2017-10-23 18:22 +0200]: > This is what I get when I *shut down* a VM in virt-manager: > $ journalctl -f | grep DENIED > Okt 23 18:20:31 pluto audit[8603]: AVC apparmor="DENIED" > operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 > Okt 23 18:20:31 pluto kernel: audit: type=1400 audit(1508775631.299:55): > apparmor="DENIED" operation="open" > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 I see something similar in the Cockpit integration tests, e. g. [1] Error: audit: type=1400 audit(1512597807.993:50): apparmor="DENIED" operation="open" profile="libvirt-538b45d5-e9a6-4598-a140-ef5963e70191" name="/proc/521/cmdline" pid=828 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Other reporters confirmed that it's relatively harmless, the Ubuntu package already got a fix [2], and apparently several others reproduced it as well, so updating tags. Thanks, Martin [1] http://209.132.184.41/logs/pull-8219-20171206-214646-d2e9e141-verify-debian-testing/log.html#2 [2] https://git.launchpad.net/~libvirt-maintainers/ubuntu/+source/libvirt/commit/?h=ubuntu/artful=38ccdf8fe9a9d5 signature.asc Description: PGP signature
Bug#878203: AA breaks libvirt when running with kernel 4.13
control: severity -1 minor control: retitle -1 apparmor logs /proc//cmdline denials on vm shutdown Hi, On Mon, Oct 23, 2017 at 06:41:04PM +0200, Michael Biebl wrote: > Am 23.10.2017 um 18:28 schrieb Guido Günther: > > Hi, > > On Mon, Oct 23, 2017 at 06:22:10PM +0200, Michael Biebl wrote: > >> Am 23.10.2017 um 17:49 schrieb Guido Günther: > > >> This is what I get when I *shut down* a VM in virt-manager: > >> $ journalctl -f | grep DENIED > >> Okt 23 18:20:31 pluto audit[8603]: AVC apparmor="DENIED" > >> operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > >> name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > >> requested_mask="r" denied_mask="r" fsuid=114 ouid=0 > >> Okt 23 18:20:31 pluto kernel: audit: type=1400 audit(1508775631.299:55): > >> apparmor="DENIED" operation="open" > >> profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > >> name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > >> requested_mask="r" denied_mask="r" fsuid=114 ouid=0 > > > > I can produce this msg on shutdown (I assumed it to be on VM start) but > > what does break? > > No idea. I don't see any immediate breakage related to those denials. Ahh...I didn't see your comment in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878203#25 and intrigeri's https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878203#30 and the bug title sounded alarming. It's harmless but should be fixed though. Cheers, -- Guido
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Hello,
Am Montag, 23. Oktober 2017, 09:14:52 CEST schrieb intrigeri:
>> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit:
> > type=1400 audit(1507725834.681:55): apparmor="DENIED"
> > operation="open"
> > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd"
> > name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86"
> > requested_mask="r" denied_mask="r" fsuid=114 ouid=0
> Shall we silence the denial or allow it
No idea about that, but...
> (possibly prefixed with "owner" to avoid increasing the attack
> surface too much)?
Have a look at the denial again - fsuid != ouid, so you can't use an
owner rule.
Also, the pid is not the same as in the /proc/*/cmdline name, so please
use @{pids}, not the (planned-to-be-restricted-to-own-pid) @{pid}
variable.
Regards,
Christian Boltz
--
Ein Killfile ist der natürliche Lebensraum von Trollen und Elchen. Wenn
sich jemand zu ihnen gesellt, entstehen lustige Geräusche, wie PLONK.
Manchmal machts auch PLATSCH, wenn der Lebensraum bereits überbevölkert
ist. [David Dahlberg]
signature.asc
Description: This is a digitally signed message part.
Bug#878203: AA breaks libvirt when running with kernel 4.13
Am 23.10.2017 um 18:28 schrieb Guido Günther: > Hi, > On Mon, Oct 23, 2017 at 06:22:10PM +0200, Michael Biebl wrote: >> Am 23.10.2017 um 17:49 schrieb Guido Günther: >> This is what I get when I *shut down* a VM in virt-manager: >> $ journalctl -f | grep DENIED >> Okt 23 18:20:31 pluto audit[8603]: AVC apparmor="DENIED" >> operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" >> name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" >> requested_mask="r" denied_mask="r" fsuid=114 ouid=0 >> Okt 23 18:20:31 pluto kernel: audit: type=1400 audit(1508775631.299:55): >> apparmor="DENIED" operation="open" >> profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" >> name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" >> requested_mask="r" denied_mask="r" fsuid=114 ouid=0 > > I can produce this msg on shutdown (I assumed it to be on VM start) but > what does break? No idea. I don't see any immediate breakage related to those denials. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#878203: AA breaks libvirt when running with kernel 4.13
Hi, On Mon, Oct 23, 2017 at 06:22:10PM +0200, Michael Biebl wrote: > Am 23.10.2017 um 17:49 schrieb Guido Günther: > > > I can't reproduce this here with 4.13.0-1-amd64 and > > libvirt-daemon-system 3.8.0-3. > > -- Guido > > > linux-image-4.13.0-1-amd64 4.13.4-2 > libvirt-daemon-system 3.8.0-3 > > This is what I get when I *shut down* a VM in virt-manager: > $ journalctl -f | grep DENIED > Okt 23 18:20:31 pluto audit[8603]: AVC apparmor="DENIED" > operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 > Okt 23 18:20:31 pluto kernel: audit: type=1400 audit(1508775631.299:55): > apparmor="DENIED" operation="open" > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 I can produce this msg on shutdown (I assumed it to be on VM start) but what does break? -- Guido > > > -- > Why is it that all of the instruments seeking intelligent life in the > universe are pointed away from Earth? >
Bug#878203: AA breaks libvirt when running with kernel 4.13
Am 23.10.2017 um 17:49 schrieb Guido Günther: > I can't reproduce this here with 4.13.0-1-amd64 and > libvirt-daemon-system 3.8.0-3. > -- Guido > linux-image-4.13.0-1-amd64 4.13.4-2 libvirt-daemon-system 3.8.0-3 This is what I get when I *shut down* a VM in virt-manager: $ journalctl -f | grep DENIED Okt 23 18:20:31 pluto audit[8603]: AVC apparmor="DENIED" operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114 ouid=0 Okt 23 18:20:31 pluto kernel: audit: type=1400 audit(1508775631.299:55): apparmor="DENIED" operation="open" profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" name="/proc/718/cmdline" pid=8603 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114 ouid=0 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#878203: AA breaks libvirt when running with kernel 4.13
Hi, On Wed, Oct 11, 2017 at 02:10:01AM +0200, Michael Biebl wrote: > Package: apparmor > Version: 2.11.0-11 > Severity: serious > > After the kernel upgrade from 4.12 to 4.13 my KVM/libvirt instances > failed to start: > Okt 10 19:24:44 pluto libvirtd[673]: 2017-10-10 17:24:44.404+: 797: error > : virProcessRunInMountNamespace:1159 : internal error: child reported: Kernel > does not provide mount namespace: Permission denied > > Disabling AppArmor made libvirt work again. > There seems to be an incompatibility between the 4.13 kernel and > AppArmor. Please reassign if you think this is a bug in the kernel. > > I've decided to mark this as RC, as breaking KVM is a rather severe > regression which needs to be fixed for buster. > > A quick internet search turns up > https://forums.opensuse.org/showthread.php/527394-KVM-guest-will-not-start-with-latest-version-of-kernel > and following that > https://www.redhat.com/archives/libvir-list/2017-September/msg00546.html I can't reproduce this here with 4.13.0-1-amd64 and libvirt-daemon-system 3.8.0-3. -- Guido
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Control: reassign -1 libvirt-daemon-system Control: retitle -1 AppArmor blocks QEMU guests access to /proc/*/cmdline Control: found -1 3.8.0-3 Control: severity -1 normal Control: tag -1 + upstream Hi Michael, Guido & others, first of all, thanks a lot for trying AppArmor and reporting bugs, much appreciated :) I'm sorry you've hit issues caused by new AppArmor features landing in Linux mainline (which is very good news in itself but we've failed to get ready for that in Debian). I have designed a plan to avoid such situations in the future: #879584 and #879585. Michael Biebl: > Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue > for me, i.e. the libvirt instances start again. … and this is now fixed in sid too. Kudos to Guido for being so proactive both to fix such issues in libvirt upstream and to upload them to Debian — you rock! > I'm not sure whether to merge these two bug reports now, or we keep this > one open and deal with the remaining denial(s) (the severity should > probably be downgraded in this case as it doesn't seem to cause any > noticeable issues). > After updating to libvirt 3.8.0-1 I still the get following DENIAL when > shutting down a libvirt/KVM instance: >> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit: > type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open" > profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd" > name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=114 ouid=0 I'm hereby doing the latter, i.e. re-purposing this duplicate bug report into one that tracks this noisy denial. @Guido: I've not noticed any breakage caused by AppArmor blocking QEMU access to /proc/*/cmdline. Grepping the QEMU source code for "cmdline" outputs too many hits for a non-C person like me to investigate, so I am really clueless wrt. what the potential problems of this denial could be. Shall we silence the denial or allow it (possibly prefixed with "owner" to avoid increasing the attack surface too much)? Once we reach a conclusion here I'm happy to send a patch upstream. Cheers, -- intrigeri
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Am 11.10.2017 um 13:06 schrieb Christian Boltz:
> I noticed one denial that probably isn't covered by the upstream profile
> yet:
>
> apparmor="DENIED" operation="open" profile="libvirt-c6ae5f8d-
> e017-484d-9176-96b0e079c66d" name="/proc/726/cmdline" pid=6188
> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114
> ouid=0
>
> That translates to
> /@{PROC}/@{pids}/cmdline r,
> and should probably go into abstractions/libvirt-qemu
I was pointed at https://bugs.debian.org/877926
Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue
for me, i.e. the libvirt instances start again.
I'm not sure whether to merge these two bug reports now, or we keep this
one open and deal with the remaining denial(s) (the severity should
probably be downgraded in this case as it doesn't seem to cause any
noticeable issues).
After updating to libvirt 3.8.0-1 I still the get following DENIAL when
shutting down a libvirt/KVM instance:
> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [ 355.112941] audit:
type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open"
profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd"
name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=114 ouid=0
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
Bug#878203: [pkg-apparmor] Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13
Hello,
there were some more profile changes done - first in openSUSE [1], but
AFAIK they were already upstreamed.
I had a quick look at the log - most denials are fixed with the latest
upstream profile, so I'd recommend to grab that one.
I noticed one denial that probably isn't covered by the upstream profile
yet:
apparmor="DENIED" operation="open" profile="libvirt-c6ae5f8d-
e017-484d-9176-96b0e079c66d" name="/proc/726/cmdline" pid=6188
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=114
ouid=0
That translates to
/@{PROC}/@{pids}/cmdline r,
and should probably go into abstractions/libvirt-qemu
Regards,
Christian Boltz
[1] https://bugzilla.opensuse.org/show_bug.cgi?id=1058847 and
https://bugzilla.opensuse.org/show_bug.cgi?id=1060860
--
In asynchron-verteilten Umgebungen mußt Du gegen jede einzelne Regel
Deiner Datenbankvorlesung verstoßen. [Kris Köhntopp]
signature.asc
Description: This is a digitally signed message part.
Bug#878203: [pkg-apparmor] Bug#878203: AA breaks libvirt when running with kernel 4.13
Am 11.10.2017 um 04:35 schrieb Seth Arnold: > Hello Michael, do you still have the DENIED lines from your kernel logs > when experiencing this problem? If so please share them here. > > Thanks > attached is the output of "grep audit /var/log/kern.log" -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? 2017-10-09T23:47:24.488417+02:00 pluto kernel: [1.658278] audit: initializing netlink subsys (disabled) 2017-10-09T23:47:24.488418+02:00 pluto kernel: [1.658409] audit: type=2000 audit(1507585637.658:1): state=initialized audit_enabled=0 res=1 2017-10-09T23:47:24.489104+02:00 pluto kernel: [6.461901] audit: type=1400 audit(1507585643.004:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="klogd" pid=531 comm="apparmor_parser" 2017-10-09T23:47:24.489108+02:00 pluto kernel: [6.467053] audit: type=1400 audit(1507585643.010:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslogd" pid=532 comm="apparmor_parser" 2017-10-09T23:47:24.489109+02:00 pluto kernel: [6.467246] audit: type=1400 audit(1507585643.010:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=530 comm="apparmor_parser" 2017-10-09T23:47:24.489110+02:00 pluto kernel: [6.467625] audit: type=1400 audit(1507585643.010:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=533 comm="apparmor_parser" 2017-10-09T23:47:24.489111+02:00 pluto kernel: [6.471390] audit: type=1400 audit(1507585643.014:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/config" pid=538 comm="apparmor_parser" 2017-10-09T23:47:24.489112+02:00 pluto kernel: [6.473306] audit: type=1400 audit(1507585643.016:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/auth" pid=537 comm="apparmor_parser" 2017-10-09T23:47:24.489115+02:00 pluto kernel: [6.474216] audit: type=1400 audit(1507585643.017:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/anvil" pid=536 comm="apparmor_parser" 2017-10-09T23:47:24.489116+02:00 pluto kernel: [6.475850] audit: type=1400 audit(1507585643.018:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/deliver" pid=539 comm="apparmor_parser" 2017-10-09T23:47:24.489117+02:00 pluto kernel: [6.476401] audit: type=1400 audit(1507585643.019:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/dict" pid=540 comm="apparmor_parser" 2017-10-10T02:26:27.867337+02:00 pluto kernel: [1.663110] audit: initializing netlink subsys (disabled) 2017-10-10T02:26:27.867338+02:00 pluto kernel: [1.663241] audit: type=2000 audit(1507595181.663:1): state=initialized audit_enabled=0 res=1 2017-10-10T02:26:27.867956+02:00 pluto kernel: [6.076068] audit: type=1400 audit(1507595186.619:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="klogd" pid=502 comm="apparmor_parser" 2017-10-10T02:26:27.867957+02:00 pluto kernel: [6.081292] audit: type=1400 audit(1507595186.624:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=501 comm="apparmor_parser" 2017-10-10T02:26:27.867960+02:00 pluto kernel: [6.081466] audit: type=1400 audit(1507595186.624:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslogd" pid=503 comm="apparmor_parser" 2017-10-10T02:26:27.867961+02:00 pluto kernel: [6.081809] audit: type=1400 audit(1507595186.625:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="syslog-ng" pid=504 comm="apparmor_parser" 2017-10-10T02:26:27.867962+02:00 pluto kernel: [6.084644] audit: type=1400 audit(1507595186.627:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/anvil" pid=507 comm="apparmor_parser" 2017-10-10T02:26:27.867962+02:00 pluto kernel: [6.086615] audit: type=1400 audit(1507595186.629:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/config" pid=509 comm="apparmor_parser" 2017-10-10T02:26:27.867963+02:00 pluto kernel: [6.087153] audit: type=1400 audit(1507595186.630:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/auth" pid=508 comm="apparmor_parser" 2017-10-10T02:26:27.867968+02:00 pluto kernel: [6.090497] audit: type=1400 audit(1507595186.633:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/deliver" pid=510 comm="apparmor_parser" 2017-10-10T02:26:27.867968+02:00 pluto kernel: [6.090638] audit: type=1400 audit(1507595186.633:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/dovecot/dict" pid=511 comm="apparmor_parser" 2017-10-10T18:37:50.217797+02:00 pluto kernel: [32149.575806] audit: type=1400 audit(1507653470.214:53): apparmor="STATUS"
Bug#878203: [pkg-apparmor] Bug#878203: AA breaks libvirt when running with kernel 4.13
Hello Michael, do you still have the DENIED lines from your kernel logs when experiencing this problem? If so please share them here. Thanks signature.asc Description: PGP signature
Bug#878203: AA breaks libvirt when running with kernel 4.13
Package: apparmor Version: 2.11.0-11 Severity: serious After the kernel upgrade from 4.12 to 4.13 my KVM/libvirt instances failed to start: Okt 10 19:24:44 pluto libvirtd[673]: 2017-10-10 17:24:44.404+: 797: error : virProcessRunInMountNamespace:1159 : internal error: child reported: Kernel does not provide mount namespace: Permission denied Disabling AppArmor made libvirt work again. There seems to be an incompatibility between the 4.13 kernel and AppArmor. Please reassign if you think this is a bug in the kernel. I've decided to mark this as RC, as breaking KVM is a rather severe regression which needs to be fixed for buster. A quick internet search turns up https://forums.opensuse.org/showthread.php/527394-KVM-guest-will-not-start-with-latest-version-of-kernel and following that https://www.redhat.com/archives/libvir-list/2017-September/msg00546.html Regards, Michael -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apparmor depends on: ii debconf 1.5.63 ii init-system-helpers 1.49 ii libapparmor-perl 2.11.0-11 ii libc62.24-17 ii lsb-base 9.20170808 ii python3 3.5.3-3 apparmor recommends no packages. Versions of packages apparmor suggests: ii apparmor-profiles2.11.0-11 pn apparmor-profiles-extra ii apparmor-utils 2.11.0-11 -- debconf information excluded
