[Pkg-libvirt-maintainers] Bug#812069: virt-aa-helper: please whitelist /usr/share/OVMF (EFI) for read-only access under AppArmor

Simon McVittie smcv at debian.org
Wed Jan 20 07:38:47 UTC 2016 

Package: libvirt-daemon-system
Version: 1.3.0-2
Severity: normal
File: /usr/lib/libvirt/virt-aa-helper
Tags: patch upstream

When I configure a guest for EFI boot on a host system with AppArmor
enabled, virt-aa-helper generates an AppArmor profile that fails its
own validation:

libvirtd: 13583: error : virCommandWait:2552 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -c -u libvirt-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) unexpected exit status 1: virt-aa-helper: error: /usr/share/OVMF/OVMF_CODE.fd#012virt-aa-helper: error: skipped restricted file#012virt-aa-helper: error: invalid VM definition

This appears to be because virt-aa-helper is willing to accept
/usr/share/ovmf as an acceptable read-only path for a virtual machine,
but not /usr/share/OVMF. The attached patch seems to work.

(I wonder whether it would make sense to just allow all of /usr/share to be
read-only, but that's more of a policy question.)

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.113+nmu3
ii  gettext-base         0.19.7-2
ii  init-system-helpers  1.25
ii  libapparmor1         2.10-2+b2
ii  libaudit1            1:2.4.5-1
ii  libblkid1            2.27.1-1
ii  libc6                2.21-6
ii  libcap-ng0           0.7.7-1+b1
ii  libdbus-1-3          1.11.0-1
ii  libdevmapper1.02.1   2:1.02.114-1
ii  libnl-3-200          3.2.26-1
ii  libnl-route-3-200    3.2.26-1
ii  libnuma1             2.0.11-1
ii  librados2            0.80.11-1
ii  librbd1              0.80.11-1
ii  libselinux1          2.4-3
ii  libsystemd0          228-4
ii  libvirt-clients      1.3.0-2+aa1
ii  libvirt-daemon       1.3.0-2+aa1
ii  libvirt0             1.3.0-2+aa1
ii  libxml2              2.9.3+dfsg1-1
ii  libyajl2             2.1.0-2
ii  logrotate            3.8.7-2
ii  policykit-1          0.105-14.1

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-9
ii  dmidecode     3.0-2
ii  dnsmasq-base  2.75-1
ii  ebtables      2.0.10.4-3
ii  iproute2      4.3.0-1
ii  iptables      1.4.21-2+b1
ii  parted        3.2-13
ii  pm-utils      1.4.1-15

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.10-2+b2
pn  auditd      <none>
pn  nfs-common  <none>
pn  radvd       <none>
ii  systemd     228-4
pn  systemtap   <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ovmf.diff
Type: text/x-diff
Size: 4240 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20160120/8c042cb1/attachment.diff>

More information about the Pkg-libvirt-maintainers mailing list