[pkg-apparmor] Bug#826218: Complain still interferes

Guido Günther agx at sigxcpu.org
Fri Jun 3 13:29:05 UTC 2016 

Hi intrigeri,
On Fri, Jun 03, 2016 at 02:51:12PM +0200, intrigeri wrote:
[..snip..]
> > As to my understanding complain mode shouldn't have any ill effects
> > therefore I'm filing this as important.
> 
> I can't tell for sure until I've seen the corresponding logs, but
> I *guess* that what's happening is: setting the usr.sbin.libvirtd
> profile to "complain" affects that profile, and only that one; the
> per-guest profiles libvirt generates are not affected. libvirtd is
> still allowed to do that:

If that would be true wouldn't undefining then redifining the domain
(therefore switching to a different UUID resolve the problem)? I have
tried this before and it doesn't. This is the full script I'm using:

    https://github.com/agx/libvirt-debian/blob/debian/experimental/debian/tests/smoke-qemu-session

Note also that the problem is with starting virtlogd (which is spawned
from libvirtd, not the VM). The issues manifests as virtlogd parsing
incorrect stuff from the environment[1].

>   # allow changing to our UUID-based named profiles
>   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
> 
> ... if security_driver is configured to use AppArmor in
> /etc/libvirt/qemu.conf.
> 
> And aa-disable does a very different thing: it full unloads the
> profile from the kernel, and then somehow libvirtd must be denied the
> change_profile operation, so the buggy auto-generated per-guest
> profile is not switched to.
> 
> If my guess is right, then there's no bug in AppArmor itself (except
> perhaps change_profile should pass through the complain flag to the
> profile it switches to?).
> 
> To confirm this, we need:
> 
>  * the kernel / auditd logs from AppArmor, when the profile is in
>    complain or enforce mode

$ sudo dmesg -c > /dev/null

# Enforce
$ sudo aa-enforce /usr/sbin/libvirtd
Setting /usr/sbin/libvirtd to enforce mode.
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
1
$ sudo dmesg -c | grep audit
[20363.629630] audit: type=1400 audit(1464959515.310:256): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/libvirtd" pid=6608 comm="apparmor_parser"

# Complain
$ sudo aa-complain /usr/sbin/libvirtd 
Setting /usr/sbin/libvirtd to complain mode.
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
1
$ sudo dmesg -c | grep audit
[20514.122048] audit: type=1400 audit(1464959665.801:257): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/libvirtd" pid=6695 comm="apparmor_parser"

# Diabled
$ sudo aa-disable /usr/sbin/libvirtd
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
0
$ sudo dmesg -c | grep audit
[20632.145135] audit: type=1400 audit(1464959783.825:258): apparmor="STATUS" operation="profile_remove" name="/usr/sbin/libvirtd" pid=6771 comm="apparmor_parser"

>  * the generated profile (/etc/apparmor.d/libvirt/libvirt-${uuid}*)

As far as can tell there are no new files generaed with the uuid of the
sqs domain.

Any more logs I can provide? Sorry if I'm looking at the wrong place.

Cheers,
 -- Guido

[1] since /proc/<pid>/environ looks correct I have no idea how this
relates to aa yet but it's 100% reproducible

More information about the pkg-apparmor-team mailing list