[Pkg-libvirt-maintainers] Bug#1081396: libvirt-daemon: AppArmor support for QEMU domains is (mostly silently) disabled unless libvirt-daemon-driver-lxc is installed

Andrea Bolognani eof at kiyuko.org
Mon Sep 16 20:31:26 BST 2024 

Control: tags -1 fixed-upstream

On Wed, Sep 11, 2024 at 08:06:18PM +0200, Andrea Bolognani wrote:
> On Wed, Sep 11, 2024 at 02:21:07PM +0200, intrigeri wrote:
> > If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup:
> > 
> >   libvirtd[2085]: internal error: template '/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist
> > 
> > … and then apparently the logic to generate AppArmor profiles for QEMU VMs and
> > enforce them is disabled. That was not obvious to me: I thought "OK, I don't
> > have the LXC driver installed, so sure that file is missing, it's fine" and did
> > not guess this would break a previously working security feature.
> 
> Thanks for the report.
> 
> This is definitely *not* expected and *not* acceptable. AppArmor
> confinement for QEMU domains should work regardless of whether or not
> an unrelated hypervisor driver is installed.
> 
> I'll look into it. I'm fairly sure it will require an upstream fix.

Fixed upstream with

  commit d622ca04f6525b90cfe6d8274efaf4bee043d8ba
  Author: Andrea Bolognani <abologna at redhat.com>
  Date:   Mon Sep 16 16:39:11 2024 +0200

    apparmor: Don't check for existence of templates upfront

    Currently, if either template is missing AppArmor support is
    completely disabled. This means that uninstalling the LXC
    driver from a system results in QEMU domains being started
    without AppArmor confinement, which obviously doesn't make any
    sense.

    The problematic scenario was impossible to hit in Debian until
    very recently, because all AppArmor files were shipped as part
    of the same package; now that the Debian package is much closer
    to the Fedora one, and specifically ships the AppArmor files
    together with the corresponding driver, it becomes trivial to
    trigger it.

    Drop the checks entirely. virt-aa-helper, which is responsible
    for creating the per-domain profiles starting from the
    driver-specific template, already fails if the latter is not
    present, so they were always redundant.

    https://bugs.debian.org/1081396

    Signed-off-by: Andrea Bolognani <abologna at redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>

I'll prepare an upload shortly.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20240916/f7baced4/attachment.sig>

More information about the Pkg-libvirt-maintainers mailing list