Bug#892431: AppArmor denies access for libvirt to nova instances directory

2018-06-16 Thread intrigeri 
Control: tag -1 + fixed-upstream

Fixed in upstream commit 1fff379ff6.

Bug#892431: AppArmor denies access for libvirt to nova instances directory

2018-03-19 Thread aradian 

On 2018-03-18 11:00, intrigeri wrote:

Thanks for the bug report + debugging + solution!
I'm reassigning to the package that ships the faulty profile.

Let's submit this to libvirt upstream
(https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to
do it yourself or shall I?


It might be best if you could do that, since you're probably much more 
familiar with the interaction between AppArmor and libvirt (and the 
bug-reporting process) than I am.



Now, one question before we move this upstream: does virt-aa-helper
really need write access to /var/lib/nova/instances/**?
Knowing a little bit what this helper does, I can't imagine why it
would; and in your logs I see only denied_mask="r".



You're right. I did some testing and found that only one rule needed 
(for QCOW backing files):


/var/lib/nova/instances/_base/* r

It seems the instance disk images are covered by the existing rule:

/**/disk{,.*} r

Probably it would be more appropriate to put that in a separate 
profile?


I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.



OK. I wasn't sure, since these rules are specific to Nova.

Bug#892431: AppArmor denies access for libvirt to nova instances directory

2018-03-18 Thread intrigeri 
Control: reassign -1 libvirt-daemon-system
Control: affects -1 nova-compute
Control: tag -1 + upstream
Control: tag -1 + moreinfo

Hi,

arad...@tma-0.net:
> When launching a QEMU KVM instance, an error occurs immediately upon 
> launching the
> qemu process:

> Could not open backing file: Could not open
> '/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': 
> Permission
> denied

> This is caused because the AppArmor profile for libvirt does not include 
> access to
> nova's instances directory (/var/lib/nova/instances).

> This error was fixed by adding the following lines to
> /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:

>   /var/lib/nova/instances/_base/ r,
>   /var/lib/nova/instances/_base/* r,
>   /var/lib/nova/instances/** rw,

> and running:
> sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

Thanks for the bug report + debugging + solution!
I'm reassigning to the package that ships the faulty profile.

Let's submit this to libvirt upstream
(https://www.redhat.com/mailman/listinfo/libvir-list). Do you want to
do it yourself or shall I?

Now, one question before we move this upstream: does virt-aa-helper
really need write access to /var/lib/nova/instances/**?
Knowing a little bit what this helper does, I can't imagine why it
would; and in your logs I see only denied_mask="r".

> Probably it would be more appropriate to put that in a separate profile?

I think it's fine to add these lines to usr.lib.libvirt.virt-aa-helper.

Cheers,
-- 
intrigeri

Bug#892431: AppArmor denies access for libvirt to nova instances directory

2018-03-08 Thread aradian 

Package: nova-compute
Version: 2:16.0.3-10
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: new-profile

When launching a QEMU KVM instance, an error occurs immediately upon 
launching the qemu process:


Could not open backing file: Could not open 
'/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': 
Permission denied


This is caused because the AppArmor profile for libvirt does not include 
access to nova's instances directory (/var/lib/nova/instances).


This error was fixed by adding the following lines to 
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:


  /var/lib/nova/instances/_base/ r,
  /var/lib/nova/instances/_base/* r,
  /var/lib/nova/instances/** rw,

and running:
sudo apparmor_parser -r /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

Probably it would be more appropriate to put that in a separate profile?


This is on a system installed as debian-stretch, then upgraded to 
debian-buster.

$ uname -a
Linux callisto 4.14.0-3-amd64 #1 SMP Debian 4.14.17-1 (2018-02-14) 
x86_64 GNU/Linux




AppArmor DENIED messages from /var/log/syslog:

Mar  8 21:31:09 callisto kernel: [688136.384367] audit: type=1400 
audit(1520566269.565:85): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" 
name="/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e" 
pid=30420 comm="virt-aa-helper" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=64055
Mar  8 21:31:09 callisto kernel: [688136.609529] audit: type=1400 
audit(1520566269.789:87): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" 
name="/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e" 
pid=30426 comm="virt-aa-helper" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=64055
Mar  8 21:31:10 callisto kernel: [688136.854752] audit: type=1400 
audit(1520566270.033:89): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" 
name="/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e" 
pid=30432 comm="virt-aa-helper" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=64055
Mar  8 21:31:10 callisto kernel: [688137.075108] audit: type=1400 
audit(1520566270.253:91): apparmor="DENIED" operation="open" 
profile="virt-aa-helper" 
name="/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e" 
pid=30438 comm="virt-aa-helper" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=64055
Mar  8 21:31:10 callisto kernel: [688137.603399] audit: type=1400 
audit(1520566270.781:94): apparmor="DENIED" operation="open" 
profile="libvirt-39477509-a5d2-4f52-a751-bef5013484e4" 
name="/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e" 
pid=30475 comm="qemu-system-x86" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0




Relevant part of /var/log/nova/nova-compute.log:

2018-03-02T05:15:27.083155Z qemu-system-x86_64: -drive 
file=/var/lib/nova/instances/9ac0d3ec-35ad-4420-ae20-f6c0c9845f05/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none: 
Could not open backing file: Could not open 
'/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': 
Permission denied
2018-03-01 23:15:27.373 2376 ERROR nova.virt.libvirt.driver 
[req-3cb9fbc5-8f4e-4244-8b14-b52ac1f0494b 
a6f48b630f634371ba94558f3ba576b8 5f46526ffab3410a9cf71b37fa242e11 - 
default default] [instance: 9ac0d3ec-35ad-4420-ae20-f6c0c9845f05] Failed 
to start libvirt guest: libvirtError: internal error: process exited 
while connecting to monitor: outputs=1,bus=pci.0,addr=0x2 -device 
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
2018-03-02T05:15:27.083155Z qemu-system-x86_64: -drive 
file=/var/lib/nova/instances/9ac0d3ec-35ad-4420-ae20-f6c0c9845f05/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none: 
Could not open backing file: Could not open 
'/var/lib/nova/instances/_base/affe96668a4c64ef380ff1c71b4caec17039080e': 
Permission denied
2018-03-01 23:15:27.374 2376 INFO os_vif 
[req-3cb9fbc5-8f4e-4244-8b14-b52ac1f0494b 
a6f48b630f634371ba94558f3ba576b8 5f46526ffab3410a9cf71b37fa242e11 - 
default default] Successfully unplugged vif 
VIFBridge(active=False,address=fa:16:3e:b4:ed:53,bridge_name='brq03b5dd02-ac',has_traffic_filtering=True,id=042a5f68-01bb-453e-bb2a-2d798b7691d5,network=Network(03b5dd02-ac2f-49f0-b1ff-fa26059f352c),plugin='linux_bridge',port_profile=,preserve_on_delete=False,vif_name='tap042a5f68-01')
2018-03-01 23:15:27.434 2376 INFO nova.virt.libvirt.driver 
[req-3cb9fbc5-8f4e-4244-8b14-b52ac1f0494b 
a6f48b630f634371ba94558f3ba576b8 5f46526ffab3410a9cf71b37fa242e11 - 
default default] [instance: 9ac0d3ec-35ad-4420-ae20-f6c0c9845f05] 
Deleting instance files 
/var/lib/nova/instances/9ac0d3ec-35ad-4420-ae20-f6c0c9845f05_del
2018-03-01 23:15:27.436 2376 INFO nova.virt.libvirt.driver 
[req-3cb9fbc5-8f4e-4244-8b14-b52ac1f0494b 
a6f48b630f634371ba94558f3ba576b8 5f46526ffab3410a9cf71b37fa242e11 - 
default default] [instance: 9ac0d3ec-35ad-4420-ae20-f6c0c9845f05] 
Deletion of