[Pkg-libvirt-maintainers] Bug#905339: Bug#905339: Some open operations are DENIED by AppArmor

Guido Günther agx at sigxcpu.org
Fri Aug 3 13:42:09 BST 2018 

Hi,
thanks. Some comments inline below:

On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote:
> Hi,
> 
> On 2018年08月03日 19:58, Guido Günther wrote:
> > Hi,
> > On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:
> > > Package: libvirt-daemon-system
> > > Version: 3.0.0-4+deb9u3
> > > Severity: normal
> > > X-Debbugs-Cc: apparmor at packages.debian.org
> > > 
> > > Dear maintainers, (CCed: apparmor-maintainers)
> > > 
> > > I had enabled AppArmor on my debian stretch machine.
> > > I found some libvirt's open operations are DENIED by apparmor.
> > > Please see below.
> > > 
> > > ```
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
> > > audit(1532950522.067:41): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
> > > audit(1532950522.067:42): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
> > > audit(1532950522.103:43): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
> > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
> > > audit(1532950536.959:46): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
> > > audit(1532950536.959:47): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
> > > audit(1532950536.967:48): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
> > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
> > > audit(1533009084.686:49): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
> > > denied_mask="r" fsuid=64055 ouid=0
> > > ```
> > > 
> > > These policy conflicts were fixed in upstream.
> > > 
> > > I attached a patch which backported from these commit.
> > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
> > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278
> > > 
> > > Would you apply this patch for stretch?
> > Can you provide debdiff for a fixed package?
> >   -- Guido
> debdiff is here:

Is this a *tested* dediff?

> ```
> diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog
> --- libvirt-3.0.0/debian/changelog    2018-03-13 03:11:51.000000000 +0900
> +++ libvirt-3.0.0/debian/changelog    2018-08-03 13:26:45.000000000 +0900
> @@ -1,3 +1,10 @@
> +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * apparmor: Allow-access-host-resource-and-cmdline.patch

Closes: #xyz

> +
> + -- Haruki TSURUMOTO <tsr.root at gmail.com>  Fri, 03 Aug 2018 13:26:45 +0900
> +
>  libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
> 
>    * gbp: switch branch to stretch
> diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> --- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> 1970-01-01 09:00:00.000000000 +0900
> +++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> 2018-08-03 13:26:45.000000000 +0900
> @@ -0,0 +1,25 @@
> +Allow apparmor access host resource and process cmdline

Allow apparmor access to host resources and process cmdline

> +These polociy conflicts were fixed in upstream.

Please add the links to the upstream commits here.

I'll try to squeeze this into a point release then.
Cheers,
 -- Guido

> +--- a/examples/apparmor/libvirt-qemu
> ++++ b/examples/apparmor/libvirt-qemu
> +@@ -21,6 +21,10 @@
> +   /dev/ptmx rw,
> +   /dev/kqemu rw,
> +   @{PROC}/*/status r,
> ++  # When qemu is signaled to terminate, it will read cmdline of signaling
> ++  # process for reporting purposes. Allowing read access to a process
> ++  # cmdline may leak sensitive information embedded in the cmdline.
> ++  @{PROC}/@{pid}/cmdline r,
> +   # Per man(5) proc, the kernel enforces that a thread may
> +   # only modify its comm value or those in its thread group.
> +   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
> +@@ -152,3 +156,9 @@
> +   /etc/udev/udev.conf r,
> +   /sys/bus/ r,
> +   /sys/class/ r,
> ++
> ++  # for gathering information about available host resources
> ++  /sys/devices/system/cpu/ r,
> ++  /sys/devices/system/node/ r,
> ++  /sys/devices/system/node/node[0-9]*/meminfo r,
> ++  /sys/module/vhost/parameters/max_mem_regions r,
> diff -Nru libvirt-3.0.0/debian/patches/series
> libvirt-3.0.0/debian/patches/series
> --- libvirt-3.0.0/debian/patches/series    2018-03-13 03:11:51.000000000
> +0900
> +++ libvirt-3.0.0/debian/patches/series    2018-08-03 13:26:45.000000000
> +0900
> @@ -27,3 +27,4 @@
>  qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
>  security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
>  security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch
> +apparmor-allow-access-host-resource-and-cmdline.patch
> ```
> 
> d/changelog is workaroud for me, so rewrote to suitable form please.
>

More information about the Pkg-libvirt-maintainers mailing list