[pkg-apparmor] Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled

intrigeri intrigeri at debian.org
Sat Jul 30 12:06:48 UTC 2016 

Hi,

Guido Günther:
> On Fri, Nov 13, 2015 at 09:32:15AM +0000, Carlo Rengo wrote:
>> Running “virsh attach-disk <domain> <source> <target>” with AppArmor enabled and 
>> the domain confined in enforce mode gives this error:
[...]
>> audit: type=1400 audit(1447406591.892:2017): apparmor="DENIED" operation="open"
>> profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12"
>> name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm"
>> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[...]
>> 
>> When putting the domain in complain/disabled mode, the error keeps showing up until 
>> the domain is destroyed/recreated or saved/restored.

> I can confirm this (see below).

>> This errors appears with libvirt from debian stable, debian testing and from a compiled 
>> version of the source. Ubuntu 15.10 is not affected by this bug.

> I think this issue is not within in libvirt but related to apparmor not
> correctly refreshing the profiles of running processes. As outlined in
> #826218 I can reproduce this without having virt-aa-helper in the game
> (by changing the profile on disk and reloading it into the kernel via
> apparmor_parser -r). Can be reproduced via:

>    echo "/var/lib/libvirt/images/powerpc.img rw," >> /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a.files
>    chmod u+rw /var/lib/libvirt/images/powerpc.img
>    chown libvirt-qemu: /var/lib/libvirt/images/powerpc.img
>    /sbin/apparmor_parser -r  /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a
>    virsh qemu-monitor-command wheezy --pretty --cmd '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/var/li

AFAIK an already running process is not affected by changes to its
AppArmor profile, as "Profiles are applied to a process at exec(3)
time" (apparmor(7)).

So I don't see how we can make virsh attach-disk work under AppArmor
without either rebooting the guest to take into account the updated
profile, or extending the profile in advance (so that it allows access
to all disks that one may want to attach later to a domain).

> I have also observed that aa-{disable,complain} dont affect running VMs
> but this might just an omission in the documentation.

I think this is somewhat documented in the manpage as quoted above.

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list