[Pkg-libvirt-maintainers] Bug#905339: Bug#905339: Some open operations are DENIED by AppArmor

Haruki TSURUMOTO fortune.rocket42 at gmail.com
Sat Aug 11 14:22:19 BST 2018 

Hi, sorry for my late reply.

On 2018年08月03日 20:42, Guido Günther wrote:
> Hi,
> thanks. Some comments inline below:
>
> On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote:
>> Hi,
>>
>> On 2018年08月03日 19:58, Guido Günther wrote:
>>> Hi,
>>> On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:
>>>> Package: libvirt-daemon-system
>>>> Version: 3.0.0-4+deb9u3
>>>> Severity: normal
>>>> X-Debbugs-Cc:apparmor at packages.debian.org
>>>>
>>>> Dear maintainers, (CCed: apparmor-maintainers)
>>>>
>>>> I had enabled AppArmor on my debian stretch machine.
>>>> I found some libvirt's open operations are DENIED by apparmor.
>>>> Please see below.
>>>>
>>>> ```
>>>> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
>>>> audit(1532950522.067:41): apparmor="DENIED" operation="open"
>>>> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
>>>> name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
>>>> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
>>>> audit(1532950522.067:42): apparmor="DENIED" operation="open"
>>>> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
>>>> name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
>>>> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
>>>> audit(1532950522.103:43): apparmor="DENIED" operation="open"
>>>> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
>>>> name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
>>>> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
>>>> audit(1532950536.959:46): apparmor="DENIED" operation="open"
>>>> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
>>>> name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
>>>> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
>>>> audit(1532950536.959:47): apparmor="DENIED" operation="open"
>>>> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
>>>> name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
>>>> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
>>>> audit(1532950536.967:48): apparmor="DENIED" operation="open"
>>>> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
>>>> name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
>>>> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
>>>> Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
>>>> audit(1533009084.686:49): apparmor="DENIED" operation="open"
>>>> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
>>>> name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
>>>> denied_mask="r" fsuid=64055 ouid=0
>>>> ```
>>>>
>>>> These policy conflicts were fixed in upstream.
>>>>
>>>> I attached a patch which backported from these commit.
>>>> https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
>>>> https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278
>>>>
>>>> Would you apply this patch for stretch?
>>> Can you provide debdiff for a fixed package?
>>>    -- Guido
>> debdiff is here:
> Is this a *tested* dediff?
Yes, I installed own build package, and tested it.

I attach new debdiff.
Is this qualifying for condition?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20180811/3ce6da27/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff_apparmor_allow_host_resources_cmdline.patch
Type: text/x-patch
Size: 2516 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20180811/3ce6da27/attachment.bin>

More information about the Pkg-libvirt-maintainers mailing list