[pkg-apparmor] Bug#805002: libvirt-client: "virsh attach-disk" fails with AppArmor enabled
Guido Günther
agx at sigxcpu.org
Fri Mar 24 08:28:15 UTC 2017
On Fri, Jul 22, 2016 at 03:29:43PM +0200, Guido Günther wrote:
> Control: reassign -1 apparmor
> Control: affects -1 libvirt-daemon
>
> Dear apparmor maintainers,
>
> On Fri, Nov 13, 2015 at 09:32:15AM +0000, Carlo Rengo wrote:
> > Package: libvirt-client
> > Version: 1.2.21-1
> > Severity: serious
> >
> > Dear Maintainer,
> >
> > Running “virsh attach-disk <domain> <source> <target>” with AppArmor enabled and
> > the domain confined in enforce mode gives this error:
> >
> > root at host:~# virsh attach-disk debian8 /var/lib/libvirt/images/disk_to_attach.img vdd
> > error: Failed to attach disk
> > error: internal error: unable to execute QEMU command 'device_add': Property 'virtio-blk-device.drive' can't find value 'drive-virtio-disk3'
> >
> > From journal:
> >
> > audit: type=1400 audit(1447406591.802:2015): apparmor="STATUS" operation="profile_replace" name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57268 comm="apparmor_parser"
> > audit: type=1400 audit(1447406591.862:2016): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=57268 comm="apparmor_parser"
> > audit: type=1400 audit(1447406591.892:2017): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > audit: type=1400 audit(1447406591.952:2018): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> > audit: type=1400 audit(1447406592.002:2019): apparmor="DENIED" operation="open" profile="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" name="/var/lib/libvirt/images/to_attach.img" pid=56392 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
> > audit: type=1400 audit(1447406592.262:2020): apparmor="STATUS" operation="profile_replace" name="libvirt-73a13868-fbfd-4dce-bbf1-effde396bb12" pid=57270 comm="apparmor_parser"
> > audit: type=1400 audit(1447406592.342:2021): apparmor="STATUS" operation="profile_replace" name="qemu_bridge_helper" pid=57270 comm=“apparmor_parser"
> >
> > When putting the domain in complain/disabled mode, the error keeps showing up until
> > the domain is destroyed/recreated or saved/restored.
>
> I can confirm this (see below).
>
> >
> > This errors appears with libvirt from debian stable, debian testing and from a compiled
> > version of the source. Ubuntu 15.10 is not affected by this bug.
>
> I think this issue is not within in libvirt but related to apparmor not
> correctly refreshing the profiles of running processes. As outlined in
> #826218 I can reproduce this without having virt-aa-helper in the game
> (by changing the profile on disk and reloading it into the kernel via
> apparmor_parser -r). Can be reproduced via:
>
> echo "/var/lib/libvirt/images/powerpc.img rw," >> /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a.files
> chmod u+rw /var/lib/libvirt/images/powerpc.img
> chown libvirt-qemu: /var/lib/libvirt/images/powerpc.img
> /sbin/apparmor_parser -r /etc/apparmor.d/libvirt/libvirt-a9287b6e-ca06-42fe-b1a2-06830752843a
> virsh qemu-monitor-command wheezy --pretty --cmd '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/var/li
The last one is copy and paste error. It should be:
virsh qemu-monitor-command powerpc --pretty --cmd '{"execute":"human-monitor-command","arguments":{"command-line":"drive_add dummy file=/var/lib/libvirt/images/powerpc.img"}}'
Cheers,
-- Guido
More information about the pkg-apparmor-team
mailing list