Bug#882979: AppArmor denies virt-aa-helper reading NSS files

Tue, 28 Nov 2017 02:28:06 -0800 

Package:  libvirt-daemon-system
Version: 3.9.0-1
Tags: patch

Since recent package updates in testing, handling VMs now causes AppArmor
violations about reading NSS related files:

| audit: type=1400 audit(1511825664.488:26): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" name="/etc/nsswitch.conf" pid=805 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0'
| audit: type=1400 audit(1511825664.494:27): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" name="/etc/host.conf" pid=805 comm="virt-aa-helper" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0'
| audit: type=1400 audit(1511825664.494:28): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" name="/etc/resolv.conf" pid=805 comm="virt-aa-helper" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0'
| audit: type=1400 audit(1511825664.494:30): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" name="/etc/hosts" pid=805 comm="virt-aa-helper" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0'

This doesn't seem to happen with the most trivial machines, but is reproducible
with this one that uses a real block device as disk:

---------- 8< --- /tmp/x.xml --------
<domain type='qemu' id='1'>
  <name>subVmTest1</name>
  <memory unit='KiB'>262144</memory>
  <os>
    <type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type>
    <boot dev='network'/>
  </os>
  <devices>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw'/>
      <source dev='/dev/sda'/>
      <target dev='hda' bus='ide'/>
      <serial>ROOT</serial>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
  </devices>
</domain>
---------- 8< -----------------------

# virsh define /tmp/x.xml; virsh start subVmTest1

This causes the above AppArmor violations. The VMs actually seem to work
fine, so this doesn't seem to be crucial.

Adding

      #include <abstractions/nameservice>

to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper works. If the helper should
deliberately not use NSS, then its code needs to be changed of course, but
allowing NSS seems harmless enough.

Thanks,

Martin

Reply via email to