[pkg-apparmor] Bug#805002: Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled

Christian Boltz debian-bugs at cboltz.de
Sat Jul 30 13:05:32 UTC 2016 

Hello,

Am Samstag, 30. Juli 2016, 14:06:48 CEST schrieb intrigeri:
> Guido Günther:
> >    /sbin/apparmor_parser -r 
> >    /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752
> >    843a 
> >    virsh qemu-monitor-command wheezy --pretty --cmd
> >    '{"execute":"human-monitor-command","arguments":{"command-line":
> >    "drive_add dummy file=/var/li
> AFAIK an already running process is not affected by changes to its
> AppArmor profile, as "Profiles are applied to a process at exec(3)
> time" (apparmor(7)).
> 
> So I don't see how we can make virsh attach-disk work under AppArmor
> without either rebooting the guest to take into account the updated
> profile, or extending the profile in advance (so that it allows access
> to all disks that one may want to attach later to a domain).
>
> > I have also observed that aa-{disable,complain} dont affect running
> > VMs but this might just an omission in the documentation.
> 
> I think this is somewhat documented in the manpage as quoted above.

I think you are misreading the documentation here ;-)

    "Profiles are applied to a process at exec(3) time" (apparmor(7))
means: If you start a process unconfined (without an AppArmor profile) and 
load a profile later, that process will stay unconfined (unless exec(3) 
gets called).

Also if you unload a profile and then load it again, running processes 
will become and stay unconfined.

OTOH, if you already have a profile loaded, start a process and then 
reload the modified profile, it will be applied instantly.

Note that there were bugs both in apparmor_parser and the kernel that 
broke reload and could cause the problem you described. So please check 
if Debian has the fixes in apparmor_parser (likely, because this was fixed 
a while ago) and the kernel (less likely because that patch is quite 
new). If in doubt, John should be able to point you to the relevant 
patches.


Regards,

Christian Boltz
-- 
>  ich übenehme dann freiwillig die Rolle des Dussels des Tages.
Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner
DSL-Geschichte... Dusseliger kann man sich nicht anstellen...
[> Ralf Prengel und Dieter Soost in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160730/cae01aef/attachment-0003.sig>

More information about the pkg-apparmor-team mailing list