[pkg-apparmor] Bug#878203: Bug#878203: Bug#878203: AA breaks libvirt when running with kernel 4.13

intrigeri intrigeri at debian.org
Mon Oct 23 07:14:52 UTC 2017


Control: reassign -1 libvirt-daemon-system
Control: retitle -1 AppArmor blocks QEMU guests access to /proc/*/cmdline
Control: found -1 3.8.0-3
Control: severity -1 normal
Control: tag -1 + upstream

Hi Michael, Guido & others,

first of all, thanks a lot for trying AppArmor and reporting bugs,
much appreciated :)

I'm sorry you've hit issues caused by new AppArmor features landing in
Linux mainline (which is very good news in itself but we've failed to
get ready for that in Debian). I have designed a plan to avoid such
situations in the future: #879584 and #879585.

Michael Biebl:
> Updating libvirt to 3.8.0-1 from experimental fixed the immediate issue
> for me, i.e. the libvirt instances start again.

… and this is now fixed in sid too. Kudos to Guido for being so
proactive both to fix such issues in libvirt upstream and to upload
them to Debian — you rock!

> I'm not sure whether to merge these two bug reports now, or we keep this
> one open and deal with the remaining denial(s) (the severity should
> probably be downgraded in this case as it doesn't seem to cause any
> noticeable issues).

> After updating to libvirt 3.8.0-1 I still the get following DENIAL when
> shutting down a libvirt/KVM instance:

>> 2017-10-11T14:43:54.683220+02:00 pluto kernel: [  355.112941] audit:
> type=1400 audit(1507725834.681:55): apparmor="DENIED" operation="open"
> profile="libvirt-4e5a8920-a2a1-4c6b-b7f1-528c20878cdd"
> name="/proc/684/cmdline" pid=3154 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=114 ouid=0

I'm hereby doing the latter, i.e. re-purposing this duplicate bug
report into one that tracks this noisy denial.

@Guido: I've not noticed any breakage caused by AppArmor blocking QEMU
access to /proc/*/cmdline. Grepping the QEMU source code for "cmdline"
outputs too many hits for a non-C person like me to investigate, so
I am really clueless wrt. what the potential problems of this denial
could be. Shall we silence the denial or allow it (possibly prefixed
with "owner" to avoid increasing the attack surface too much)? Once we
reach a conclusion here I'm happy to send a patch upstream.

Cheers,
-- 
intrigeri



More information about the pkg-apparmor-team mailing list