*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: apparmor Since a while back Ubuntu provides an excellent security model for virtualized systems. This happens via dynamic apparmor profiles protecting against manipulating other virtualized system resources but also the host system itself. Example of how it works: # apt-get install apparmor-profiles # aa-enforce /etc/apparmor.d/* <start your libvirtd and virtual machines> # apparmor_status apparmor module is loaded. 33 profiles are loaded. 33 profiles are in enforce mode. [...] 4 processes have profiles defined. 4 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) libvirt-d829936f-bbff-b657-afeb-b250d8083f81 (12108) libvirt-ec24421d-1911-4b1b-09a8-0ece48901cb8 (20030) [...] # ps -ef --pid 12108 101 12108 1 1 Dec11 ? 00:41:09 /usr/bin/kvm The dynamic libvirt-<UUID> profiles are created by libvirtd on launch. They are included by /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper. When you start a virtual system new files are put under /etc/apparmor.d/libvirt. /usr/lib/libvirt/virt-aa-helper then starts (hence invoking the dynamic security profile) and then forks the KVM process. An example of enforcement looks like: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. "/var/log/libvirt/**/test_crypto.log" w, "/var/lib/libvirt/**/test_crypto.monitor" rw, "/var/run/libvirt/**/test_crypto.pid" rwk, "/data/servers/test/vda.img" rw, Very nice. This is of course until you decide to update your system. And install a new apparmor, apparmor-profile or anything triggering "service apparmor restart" (efficiently unloading and reloading all apparmor profiles). This efficiently makes apparmor enforce the new policies on existing running applications. Unfortunately /usr/lib/libvirt/virt-aa-helper is no longer running, and more importantly no longer with the same UUID so the KVM security profiles are no longer enforced. For a system performing automatic security updates this is almost bound to happen. Example: # service apparmor restart * Reloading AppArmor profiles [ OK ] # apparmor_status apparmor module is loaded. 31 profiles are loaded. 31 profiles are in enforce mode. [...] 2 processes have profiles defined. 2 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) [...] Security is efficiently disabled. System information: Distributor ID: Ubuntu Description: Ubuntu 10.10 Release: 10.10 Codename: maverick (Thank you launchpad/ubuntu-bugs for requiring referral headers, not saving my published information hence forcing me to rewrite the same bug report again. Frustration^2 of obscurity security. HTTPS and personal accounts should be way sufficient.) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/702774 Title: Update of AppArmor disables libvirtd dynamic profiles -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs