[pkg-apparmor] Bug#805002: Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled

Guido Günther agx at sigxcpu.org
Mon Apr 3 06:12:58 UTC 2017 

On Sun, Jul 31, 2016 at 03:40:48AM -0700, John Johansen wrote:
> On 07/30/2016 07:54 AM, intrigeri wrote:
> > Hi,
> > 
> > Christian Boltz:
> >> I think you are misreading the documentation here ;-)
> > 
> > I suspect it might be easier to improve the documentation,
> > than to fix all people who would "misread" it.
> > 
> > (Sorry I did not find this funny.)
> > 
> >> OTOH, if you already have a profile loaded, start a process and then 
> >> reload the modified profile, it will be applied instantly.
> > 
> > Thanks!
> > 
> >> Note that there were bugs both in apparmor_parser and the kernel that 
> >> broke reload and could cause the problem you described. So please check 
> >> if Debian has the fixes in apparmor_parser (likely, because this was fixed 
> >> a while ago) and the kernel (less likely because that patch is quite 
> >> new). If in doubt, John should be able to point you to the relevant 
> >> patches.
> > 
> > Good to know! Indeed, I have no clue what kernel patch you're
> > referring to ⇒ John, can you please point me to it? Is it part of the
> > pull request for 4.8? Thanks in advance!
> > 
> Yes, and also available in the 4.8 fixes backports I did for 4.4 - 4.7 (I
> haven't had time to backport further yet).
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
> v4.4-aa2.8-out-of-tree
> v4.5-aa2.8-out-of-tree
> v4.6-aa2.8-out-of-tree
> v4.7-aa2.8-out-of-tree
> 
> once the 4.8 request gets merged I can look at submitting to stable.
> 
> the specific patch for this issue is
> In linux security/next
>   ec34fa2 apparmor: fix replacement bug that adds new child to old parent
> 
> v4.4-aa2.8-out-of-tree
>   b02fdc2 apparmor: fix replacement bug that adds new child to old parent
> 
> 
> The kernel side messes up in the specific case of a profile already existing
> and the replacement adds new hats.
> 
> The userspace fix is rev 3440 in the userspace main branch (lp:apparmor)

According to

  https://www.redhat.com/archives/libvir-list/2017-March/msg01612.html

on Jessie with

    Kernel 4.9.11
    Apparmor 2.10

unbreaks attaching disks. I'm seeing a different kind of error on Sid
now which I have to investigate.
Cheers,
 -- Guido

More information about the pkg-apparmor-team mailing list