[pkg-apparmor] Bug#826218: Bug#826218: Bug#826218: Complain still interferes

Thu Jul 21 19:55:20 UTC 2016

Hi,
On Mon, Jun 06, 2016 at 01:21:36AM -0700, John Johansen wrote:
> On 06/05/2016 11:22 PM, Guido Günther wrote:
> > Hi Christian,
> > 
> > Thanks a lot for your comments!
> > 
> > On Mon, Jun 06, 2016 at 01:14:08AM +0200, Christian Boltz wrote:
> > [..snip..]
> >> You can enable the logging by adding the audit keyword, but the general 
> >> rule is not to log anything that is already handled (allowed or denied) 
> >> in the profile.
> >>
> >>>     * a way to audit calls to subprocesses indicating whether the
> >>>       environment was scrubbed or not
> >>
> >> You'll get this information by reading the profile ;-)   It already had 
> >> "/usr/sbin/* PUx" [1] which also allowed /usr/sbin/virtlogd - but with 
> >> environment scrubbing.
> > 
> > The rule tells me what the profile is supposed to do, not what it is
> > doing. Ideally I'd like to debug this without  modifying any rules.
> > 
> > It's like the difference between reading code and debugging code. With a
> > debugger I can see what the program is doing while the code tells me
> > what it is supposed to do.
> > 
> 
> Another mode that might be helpful is forcing audit mode. This can be done
> in two ways, to apply it globally
> 
>   echo -n all > /sys/module/apparmor/parameters/audit
> 
> or by setting the mode on the profile
> 
>   profile foo flags=(audit) { ... }
> 
> 
> this will audit a message for every rule that apparmor allows. This can
> be extremely noisy even just doing it for a single profile, so I would not
> use the global option.
> 
> You will likely also have to turn off rate limiting by doing
> 
>   echo 0 > /proc/sys/kernel/printk_ratelimit
> 
> even then the kernel ring buffer may overflow and you might lose messages.

I'm stuck again debugging an apparmor issue so maybe somebody has some
pointers (which I'll gladly add to the weeky again). I'm looking into:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002

where hotplugging a disk with libvirt fails iff apparmor is enabled.
I can reproduce this and to get virt-aa-helper and libvirtd out of the
game I came up with:

   echo "/var/lib/libvirt/images/powerpc.img rw," >> /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a.files
   chmod u+rw /var/lib/libvirt/images/powerpc.img
   chown libvirt-qemu: /var/lib/libvirt/images/powerpc.img
   /sbin/apparmor_parser -r  /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a
   virsh qemu-monitor-command wheezy --pretty --cmd '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/var/lib/libvirt/images/powerpc.img,format=raw,if=none,id=drive-virtio-disk1"}}'

which does the same as "virsh attach-disk domain /var/lib/libvirt/images/powerpc.img".

So we allow access to a file (via apparmor and unix perms), reload the
profile and tell qemu to attach the disk but I this in the logs after
issuing the last command:

   [ 2585.155440] audit: type=1400 audit(1469130399.200:271): apparmor="DENIED" operation="open" profile="libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a" name="/var/lib/libvirt/images/powerpc.img" pid=4202 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=117
  [ 2585.155472] audit: type=1400 audit(1469130399.200:272): apparmor="AUDIT" operation="getattr" profile="libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a" name="/var/lib/libvirt/images/powerpc.img" pid=4202 comm="qemu-system-x86" requested_mask="r" fsuid=117 ouid=117
  [ 2585.155547] audit: type=1400 audit(1469130399.200:273): apparmor="DENIED" operation="open" profile="libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a" name="/var/lib/libvirt/images/powerpc.img" pid=4202 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=117 ouid=117

so how can I find out why the access is still blocked although I added
an explicit allow line? I kind of suspect that reloading the profile
does not work but have nothing that supports this (reloading without
cache, and in verbose mode all look good).

Cheers
 -- Guido