[pkg-apparmor] Bug#826218: Complain still interferes

[intrigeri]

Control: tag -1 + moreinfo

Hi Guido,

Guido Günther wrote (03 Jun 2016 11:53:39 GMT) :
> I've been trying to debug why libvirt fails to start qemu:///session
> domains. Suspecting apparmor into the mix I did:

>     $ aa-complain /usr/sbin/libvirtd
>     $ virsh -c qemu:///session start sqs
>     error: Failed to start domain sqs
>     error: Failed to connect socket to '/run/user/1000/libvirt/virtlogd-sock': Connection refused

> Howver if I do:

>     $ aa-disable /usr/sbin/libvirtd
>     $ virsh -c qemu:///session start sqs
>     Domain sqs started

> I've attached the domain XML to reproduce. Libvirt is 1.3.5~rc1 from
> experimental but 1.3.4 shows this as well.

Thanks for sharing!

> As to my understanding complain mode shouldn't have any ill effects
> therefore I'm filing this as important.

I can't tell for sure until I've seen the corresponding logs, but
I *guess* that what's happening is: setting the usr.sbin.libvirtd
profile to "complain" affects that profile, and only that one; the
per-guest profiles libvirt generates are not affected. libvirtd is
still allowed to do that:

  # allow changing to our UUID-based named profiles
  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,

... if security_driver is configured to use AppArmor in
/etc/libvirt/qemu.conf.

And aa-disable does a very different thing: it full unloads the
profile from the kernel, and then somehow libvirtd must be denied the
change_profile operation, so the buggy auto-generated per-guest
profile is not switched to.

If my guess is right, then there's no bug in AppArmor itself (except
perhaps change_profile should pass through the complain flag to the
profile it switches to?).

To confirm this, we need:

 * the kernel / auditd logs from AppArmor, when the profile is in
   complain or enforce mode

 * the generated profile (/etc/apparmor.d/libvirt/libvirt-${uuid}*)

Cheers,
-- 
intrigeri