Public bug reported: By debugging various bugs I've found several entries missing in the libvirt-qemu apparmor abstraction.
Those issues - now that they are understood - are taken out of the original bugs to focus on the remaining debugging there. None of these are per Guest, so add to /etc/apparmor.d/abstractions /libvirt-qemu The missing entries as identified are: #1 For virtual functions the generic vfio interface /etc/apparmor.d/abstractions/libvirt-qemu like: # allow guest access to the generic base vfio interface (LP: #1678322) /dev/vfio/vfio rw, I checked with the security team and also according to https://www.kernel.org/doc/Documentation/vfio.txt this base interface should be save to be allowed. #2 Binaries for ppc64el based checks in the kvm wrapper script. That wrapper extension about smt awareness was tested and works fine as-is, but not when driven via libvirt due to the profile restrictions. apparmor="DENIED" operation="exec" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/usr/sbin/ppc64_cpu" pid=9539 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0 apparmor="DENIED" operation="exec" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/bin/grep" pid=9541 comm="kvm" requested_mask="x" denied_mask="x" fsuid=64055 ouid=0 #3 Qemu tries to read who killed it to report on shutdown [ 518.615420] audit: type=1400 audit(1491467132.255:21): apparmor="DENIED" operation="open" profile="libvirt-88b15add-b290-431d-9e49-fa771588f2f5" name="/proc/7989/cmdline" pid=9531 comm="qemu-system-ppc" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 The following should be rather save /proc/*/cmdline r, That will make the <unkown process> in logs like the following more readable: "qemu-system-ppc64: terminating on signal 15 from pid 10924 (<unknown process>)" ** Affects: libvirt (Ubuntu) Importance: High Assignee: ChristianEhrhardt (paelzer) Status: Triaged ** Changed in: libvirt (Ubuntu) Status: New => Triaged ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => ChristianEhrhardt (paelzer) ** Changed in: libvirt (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1680384 Title: libvirt-qemu apparmor profiles misses several important entries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1680384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
