subject:"\[Touch\-packages\] \[Bug 1989073\] Re\: AppArmor DENIES reading of \/sys\/devices\/system\/cpu\/possible"

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2023-10-09 Thread Martin Pitt

Similar issue: https://gitlab.com/libvirt/libvirt/-/issues/548 . These
two may want a common fix with "allow qemu to read sysfs"?

** Bug watch added: gitlab.com/libvirt/libvirt/-/issues #548
   https://gitlab.com/libvirt/libvirt/-/issues/548

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Won't Fix

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread Christian Ehrhardt 

Hi Marius,

> What actually is the effect of the denial? Will qemu not use more than one 
> CPU, 
> or is it something less harmful?

Since the new interface is arch specific and new the code does fall back
tot he old way.

  226 /* On some architectures it is possible to distinguish between configured 
   
  227and active cpus.  */   
   
  228 int   
   
  229 __get_nprocs_conf (void)  
   
  230 { 
   
  231   int result = read_sysfs_file ("/sys/devices/system/cpu/possible");  
   
  232   if (result != 0)
   
  233 return result;
   
  234   
   
  235   /* Fall back to /proc/stat and sched_getaffinity.  */   
   
  236   return get_nprocs_fallback ();  
   
  237 }   

Due to that, even when denied it gets the right number (as it had
before).

Once with and without isolation blocking access.

ubuntu@k2:/tmp$ ./testsysconf 
_SC_NPROCESSORS_CONF 3

ubuntu@k2:/tmp$ sudo aa-exec -p test -- ./testsysconf
_SC_NPROCESSORS_CONF 3

It only has a real difference on systems where the new code was needed in the 
first place.
Those are usually rather massive systems which start at lower cpu counts but 
might hot-plug them later - on those with the denial falling back you'd only 
get a lower than the real potential max number.
The code that hits this in your case is libnuma on initialization, unless you 
are very deep into numa control on very huge systems using cpu hotplug you 
won't see any effect.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread Marius Vollmer

Thanks a lot everyone!

What actually is the effect of the denial?  Will qemu not use more than
one CPU, or is it something less harmful?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread John Johansen

This has now landed upstream, on the master branch as

c159d0925 Allow access to possible cpus for glibc-2.36

and has been cherry-picked back to 3.1, 3.0, 2.13, and 2.12 branches.
This schedules it for release in the 2.12.4 and 2.13.7, 3.0.8 releases
this week. Unfortunately 3.1.2 was cut last week so it just misses that
release.

I will look at assigning resources to this, I am not sure which of us
will pick it up yet.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread Christian Ehrhardt 

Submitted upstream:
 https://lists.ubuntu.com/archives/apparmor/2022-November/012528.html

Once discussed and accepted there I suggest a backport to Kinetic.

I hope this debug and patch helps, but to manage expectations, I'd
hope/expect that someone usually looking after apparmor does that follow
on step then. Could someone please agree to take it over from here and
comment on this bug?

P.S. I mostly want to avoid stepping on someones toes, if you want me to
upload it to kinetic I can do so, let me know.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread Christian Ehrhardt 

Reported upstream at https://gitlab.com/apparmor/apparmor/-/issues/283

** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #283
   https://gitlab.com/apparmor/apparmor/-/issues/283

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

2022-11-14 Thread Christian Ehrhardt 

That is the commit causing the change [1] in behavior.

That is pretty low level (in libc6) and will probably hit anything that
links against libnuma.

I think the fix should therefore go into
  /etc/apparmor.d/abstractions/base


Today it has:
  # glibc's sysconf(3) routine to determine free memory, etc
  @{PROC}/meminfor,
  @{PROC}/stat   r,
  @{PROC}/cpuinfor,
  @{sys}/devices/system/cpu/   r,
  @{sys}/devices/system/cpu/online r,

And due to [1] I think this needs to get:
  @{sys}/devices/system/cpu/possible r,

That is still missing in upstreams [2] current base profile.

Gladly it isn't too fatal, but still bad.
Retargetting this to the apparmor package.

[1]: https://sourceware.org/git/?p=glibc.git;a=commit;h=97a912f7a832a6
[2]: 
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/base#L98

** Package changed: libvirt (Ubuntu) => apparmor (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989073

Title:
  AppArmor DENIES reading of /sys/devices/system/cpu/possible

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Kinetic:
  Confirmed

Bug description:
  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  Creating a VM with virt-install produces this AppAmore denial:

  AVC apparmor="DENIED" operation="open"
  profile="libvirt-974c9859-e682-4f5d-b0cb-dcf3d60185fc"
  name="/sys/devices/system/cpu/possible" pid=2522 comm="qemu-
  system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

  Creation of the VM is successful.  This is with nested virtualization.

  This did not happen with libvirt 8.0.0-1ubuntu8 and apparmor
  3.0.7-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

[Touch-packages] [Bug 1989073] Re: AppArmor DENIES reading of /sys/devices/system/cpu/possible

7 matches

Site Navigation

Mail list logo

Footer information