[pkg-apparmor] Bug#805002: Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled
Christian Boltz
debian-bugs at cboltz.de
Sat Jul 30 13:05:32 UTC 2016
Hello,
Am Samstag, 30. Juli 2016, 14:06:48 CEST schrieb intrigeri:
> Guido Günther:
> > /sbin/apparmor_parser -r
> > /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752
> > 843a
> > virsh qemu-monitor-command wheezy --pretty --cmd
> > '{"execute":"human-monitor-command","arguments":{"command-line":
> > "drive_add dummy file=/var/li
> AFAIK an already running process is not affected by changes to its
> AppArmor profile, as "Profiles are applied to a process at exec(3)
> time" (apparmor(7)).
>
> So I don't see how we can make virsh attach-disk work under AppArmor
> without either rebooting the guest to take into account the updated
> profile, or extending the profile in advance (so that it allows access
> to all disks that one may want to attach later to a domain).
>
> > I have also observed that aa-{disable,complain} dont affect running
> > VMs but this might just an omission in the documentation.
>
> I think this is somewhat documented in the manpage as quoted above.
I think you are misreading the documentation here ;-)
"Profiles are applied to a process at exec(3) time" (apparmor(7))
means: If you start a process unconfined (without an AppArmor profile) and
load a profile later, that process will stay unconfined (unless exec(3)
gets called).
Also if you unload a profile and then load it again, running processes
will become and stay unconfined.
OTOH, if you already have a profile loaded, start a process and then
reload the modified profile, it will be applied instantly.
Note that there were bugs both in apparmor_parser and the kernel that
broke reload and could cause the problem you described. So please check
if Debian has the fixes in apparmor_parser (likely, because this was fixed
a while ago) and the kernel (less likely because that patch is quite
new). If in doubt, John should be able to point you to the relevant
patches.
Regards,
Christian Boltz
--
> ich übenehme dann freiwillig die Rolle des Dussels des Tages.
Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner
DSL-Geschichte... Dusseliger kann man sich nicht anstellen...
[> Ralf Prengel und Dieter Soost in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160730/cae01aef/attachment-0003.sig>
More information about the pkg-apparmor-team
mailing list