[pkg-apparmor] Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled

Guido Günther agx at sigxcpu.org
Fri Jul 22 13:29:43 UTC 2016


Control: reassign -1 apparmor
Control: affects -1 libvirt-daemon

Dear apparmor maintainers,

On Fri, Nov 13, 2015 at 09:32:15AM +0000, Carlo Rengo wrote:
> Package: libvirt-client
> Version: 1.2.21-1
> Severity: serious
> 
> Dear Maintainer,
> 
> Running “virsh attach-disk <domain> <source> <target>” with AppArmor enabled and 
> the domain confined in enforce mode gives this error:
> 
> root at host:~# virsh attach-disk debian8 /var/lib/libvirt/images/disk_to_attach.img vdd
> error: Failed to attach disk
> error: internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-virtio-disk3'
> 
> From journal:
> 
> audit: type=1400 audit(1447406591.802:2015): apparmor="STATUS" operation="profile_replace" name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57268 comm="apparmor_parser"
> audit: type=1400 audit(1447406591.862:2016): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=57268 comm="apparmor_parser"
> audit: type=1400 audit(1447406591.892:2017): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> audit: type=1400 audit(1447406591.952:2018): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> audit: type=1400 audit(1447406592.002:2019): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
> audit: type=1400 audit(1447406592.262:2020): apparmor="STATUS" operation="profile_replace" name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57270 comm="apparmor_parser"
> audit: type=1400 audit(1447406592.342:2021): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=57270 comm=“apparmor_parser"
> 
> When putting the domain in complain/disabled mode, the error keeps showing up until 
> the domain is destroyed/recreated or saved/restored.

I can confirm this (see below).

> 
> This errors appears with libvirt from debian stable, debian testing and from a compiled 
> version of the source. Ubuntu 15.10 is not affected by this bug.

I think this issue is not within in libvirt but related to apparmor not
correctly refreshing the profiles of running processes. As outlined in
#826218 I can reproduce this without having virt-aa-helper in the game
(by changing the profile on disk and reloading it into the kernel via
apparmor_parser -r). Can be reproduced via:

   echo "/var/lib/libvirt/images/powerpc.img rw," >> /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a.files
   chmod u+rw /var/lib/libvirt/images/powerpc.img
   chown libvirt-qemu: /var/lib/libvirt/images/powerpc.img
   /sbin/apparmor_parser -r  /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a
   virsh qemu-monitor-command wheezy --pretty --cmd '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/var/li

I have also observed that aa-{disable,complain} dont affect running VMs
but this might just an omission in the documentation.

I'm happy to help debug this further but would be glad to see if I'm
going into the right direction.

Cheers,
 -- Guido



More information about the pkg-apparmor-team mailing list