*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: apparmor
Since a while back Ubuntu provides an excellent security model for
virtualized systems. This happens via dynamic apparmor profiles
protecting against manipulating other virtualized system resources but
also the host system itself.
Example of how it works:
# apt-get install apparmor-profiles
# aa-enforce /etc/apparmor.d/*
<start your libvirtd and virtual machines>
# apparmor_status
apparmor module is loaded.
33 profiles are loaded.
33 profiles are in enforce mode.
[...]
4 processes have profiles defined.
4 processes are in enforce mode :
/usr/sbin/libvirtd (1928)
/usr/sbin/named (5018)
libvirt-d829936f-bbff-b657-afeb-b250d8083f81 (12108)
libvirt-ec24421d-1911-4b1b-09a8-0ece48901cb8 (20030)
[...]
# ps -ef --pid 12108
101 12108 1 1 Dec11 ? 00:41:09 /usr/bin/kvm
The dynamic libvirt-<UUID> profiles are created by libvirtd on launch.
They are included by /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.
When you start a virtual system new files are put under
/etc/apparmor.d/libvirt. /usr/lib/libvirt/virt-aa-helper then starts
(hence invoking the dynamic security profile) and then forks the KVM
process.
An example of enforcement looks like:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/test_crypto.log" w,
"/var/lib/libvirt/**/test_crypto.monitor" rw,
"/var/run/libvirt/**/test_crypto.pid" rwk,
"/data/servers/test/vda.img" rw,
Very nice.
This is of course until you decide to update your system. And install a
new apparmor, apparmor-profile or anything triggering "service apparmor
restart" (efficiently unloading and reloading all apparmor profiles).
This efficiently makes apparmor enforce the new policies on existing
running applications. Unfortunately /usr/lib/libvirt/virt-aa-helper is
no longer running, and more importantly no longer with the same UUID so
the KVM security profiles are no longer enforced.
For a system performing automatic security updates this is almost bound
to happen.
Example:
# service apparmor restart
* Reloading AppArmor profiles [ OK ]
# apparmor_status
apparmor module is loaded.
31 profiles are loaded.
31 profiles are in enforce mode.
[...]
2 processes have profiles defined.
2 processes are in enforce mode :
/usr/sbin/libvirtd (1928)
/usr/sbin/named (5018)
[...]
Security is efficiently disabled.
System information:
Distributor ID: Ubuntu
Description: Ubuntu 10.10
Release: 10.10
Codename: maverick
(Thank you launchpad/ubuntu-bugs for requiring referral headers, not
saving my published information hence forcing me to rewrite the same bug
report again. Frustration^2 of obscurity security. HTTPS and personal
accounts should be way sufficient.)
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/702774
Title:
Update of AppArmor disables libvirtd dynamic profiles
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
