[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
This bug was fixed in the package libvirt - 0.8.1-2ubuntu1 --- libvirt (0.8.1-2ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: - Fixes: LP: #522845 LP: #553737 LP: #520386 - debian/control: + Build-Depends on qemu-kvm, not qemu + Build-Depends on open-iscsi-utils, not open-iscsi + Build-Depends on libxml2-utils + Build-Depends on libapparmor-dev and Suggests apparmor + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables to Depends of libvirt-bin + Drop qemu-kvm and qemu to Suggests + We call libxen-dev libxen3-dev, so change all references + Rename Vcs-* to XS-Debian-Vcs-* - debian/libvirt-bin.postinst: + rename the libvirt group to libvirtd + add each admin user to the libvirtd group + reload apparmor profiles - debian/libvirt-bin.postrm: + rename the libvirt group to libvirtd + remove apparmor symlinks on purge - debian/README.Debian: add AppArmor section based on the upstream documentation - debian/rules: + update DEB_DH_INSTALLINIT_ARGS for upstart + add DEB_MAKE_CHECK_TARGET := check + use --with-apparmor + copy apparmor and apport hook to debian/tmp - add debian/libvirt-bin.upstart - debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions, /etc/apparmor.d/disable, /etc/apparmor.d/force-complain, /etc/apparmor.d/libvirt, /etc/cron.daily and /usr/share/apport/package-hooks - add debian/libvirt-bin.cron.daily - add debian/libvirt-bin.apport - debian/libvirt-bin.install: install apparmor profiles, abstractions and apport hook - debian/apparmor: - add TEMPLATE - add libvirt-qemu abstraction - add usr.lib.libvirt.virt-aa-helper - add usr.sbin.libvirtd - debian/patches/series: + don't apply 0002-qemu-disable-network.diff.patch + don't apply 0005-Terminate-nc-on-EOF.patch. Use 9010-autodetect-nc-params.patch instead + 9000-delayed_iff_up_bridge.patch (refreshed) + 9001-dont_clobber_existing_bridges.patch + 9002-better_default_uri_virsh.patch (updated) + 9004-better-default-arch.patch + 9005-libvirtd-group-name.patch + 9006-increase-unix-socket-timeout.patch (refreshed) + 9007-default-config-test-case.patch (updated) + 9008-fix-daemon-conf-ftbfs.patch (rewritten) + 9009-run-as-root-by-default.patch (refreshed) + 9010-autodetect-nc-params.patch (refreshed, formerly 9015) + 9011-dont-disable-ipv6.patch (updated) * Dropped following packaging changes, no longer required with upgrades from Lucid: - debian/control: + versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg + remove Build-Depends on libcap-ng-dev - debian/libvirt-bin.postinst: virt-aa-helper profile migration to /usr/lib/libvirt - debian/libvirt-bin.preinst: added to force complain on certain upgrades * Dropped the following patches, included upstream: - 0010-Use-base-16-for-product-vendor.patch - 9003-increase-logoutput-timeout.patch - 9010-apparmor-ftbfs.patch - 9011-node_device_driver.patch - 9012-dont-crash-on-restart.patch - 9013-apparmor-dont-clear-caps.patch - 9014-apparmor-remove-unloaded-profile-is-not-fatal.patch - 9016-disk-cache-setting-xml.patch - 9018-fix-pty-console.patch - 9019-apparmor-fix-xauth.patch - 9020-apparmor-fix-backingstore.patch - 9021-apparmor-fix-hostdev.patch - 9022-dont-leak-log-fd.path.patch - 9023-virt-pki-validate_fixes.patch - 9024-free-memory-for-invalid-devices.patch (use 0008-Fix-leaks-in-udev-device-add-remove.patch from Debian) * debian/apparmor/usr.lib.libvirt.virt-aa-helper: allow access to ecryptfs files (LP: #591769) * debian/patches/9012-fix-nodeinfotest-ftbfs.patch: fix FTBFS in nodeinfotest. Drop in 0.8.2. * debian/patches/9013-apparmor-lp457716.patch: properly support/save and restore (LP: #457716). Drop in 0.8.2. * debian/apparmor/libvirt-qemu: remove workaround for LP: #457716 * don't create and run ebtables script in /tmp: - debian/apparmor/usr.sbin.libvirt: allow ixr to /var/lib/libvirt/virtd* for new ebtables functionality added in 0.8.0 - debian/patches/9014-move-ebtables-script.patch: update nwfilter_ebiptables_driver.c /var/lib/libvirt to use /var/lib/libvirt instead of /tmp libvirt (0.8.1-2) unstable; urgency=low * [41aea79] Drop patchsys-quilt since this package is 3.0 (quilt) now. (Closes: #577919) * [978e3c9] libvirt-bin.init: export PATH. (Closes: #584333) * [e4f0869] virt-xml-validate needs xmllint from libxml2-utils. (Closes: #584869) * [bba6d72] New patch 0008-Fix-leaks-in-udev-device-add-remove.patch: Fix leaks in udev device add/remove. (Closes: #582965) - thanks to Nigel Jones for forwarding this libvirt (0.8.1-1) unstable; ur
[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
** Tags added: fixed-in-0.7.7 -- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
** Description changed: libvirt in 10.04 is now compiled with libcap-ng. According to http://libvirt.org/drvqemu.html#securitycap this will affect QEMU/KVM access to files if libvirt is configured to launch VMs as root (the default in Ubuntu, see bug #522619 for why). From the libvirt.org page: "The Linux capability feature is thus aimed primarily at the scenario where the QEMU processes are running as root. In this case, before launching a QEMU virtual machine, libvirtd will use libcap-ng APIs to drop all process capabilities. It is important for administrators to note that this implies the QEMU process will only be able to access files owned by root, and not files owned by any other user." As it happens, the AppArmor security driver (which is enabled by default) disallows the SETPCAP capability, which is needed to drop these - capabilities. As such, these capabilties is not dropped and libvirt + capabilities. As such, these capabilties are not dropped and libvirt behaves in much the same way as it would without being compiled with libcap-ng, like in previous releases of Ubuntu (this is not a security issue because the VM is confined by a restrictive AppArmor profile). - This means that accesses VMs in $HOME still work. + This means that accessing VMs in $HOME still work. However (and this is where the potential problem is) if someone disables the AppArmor security driver or adds this capability to the AppArmor profile, then SETPCAP is available and any VMs that need access to disk files, etc not owned by root will break with the following in /var/log/libvirt/qemu/.log: qemu: could not open disk image /home/.../disk0.qcow2: Permission denied This could be a serious regression for people using QEMU/KVM without AppArmor. ProblemType: Bug Architecture: i386 Date: Tue Feb 16 14:30:49 2010 DistroRelease: Ubuntu 10.04 InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130) Package: libvirt-bin 0.7.5-5ubuntu7 ProcEnviron: - PATH=(custom, user) - LANG=en_US.utf8 - SHELL=/bin/bash + PATH=(custom, user) + LANG=en_US.utf8 + SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.32-13.18-generic SourcePackage: libvirt Uname: Linux 2.6.32-13-generic i686 -- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
** Changed in: libvirt (Ubuntu) Importance: Undecided => High -- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
** Summary changed: - compiling with libcap-ng disallows qemu/kvm access to files not owned by root + compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor -- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root
** Attachment added: "Dependencies.txt" http://launchpadlibrarian.net/39278824/Dependencies.txt ** Changed in: libvirt (Ubuntu) Status: New => Triaged -- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
