[Bug 702774] [NEW] Update of AppArmor disables libvirtd dynamic profiles
*** This bug is a security vulnerability *** Public security bug reported: Binary package hint: apparmor Since a while back Ubuntu provides an excellent security model for virtualized systems. This happens via dynamic apparmor profiles protecting against manipulating other virtualized system resources but also the host system itself. Example of how it works: # apt-get install apparmor-profiles # aa-enforce /etc/apparmor.d/* start your libvirtd and virtual machines # apparmor_status apparmor module is loaded. 33 profiles are loaded. 33 profiles are in enforce mode. [...] 4 processes have profiles defined. 4 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) libvirt-d829936f-bbff-b657-afeb-b250d8083f81 (12108) libvirt-ec24421d-1911-4b1b-09a8-0ece48901cb8 (20030) [...] # ps -ef --pid 12108 101 12108 1 1 Dec11 ?00:41:09 /usr/bin/kvm The dynamic libvirt-UUID profiles are created by libvirtd on launch. They are included by /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper. When you start a virtual system new files are put under /etc/apparmor.d/libvirt. /usr/lib/libvirt/virt-aa-helper then starts (hence invoking the dynamic security profile) and then forks the KVM process. An example of enforcement looks like: # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT. /var/log/libvirt/**/test_crypto.log w, /var/lib/libvirt/**/test_crypto.monitor rw, /var/run/libvirt/**/test_crypto.pid rwk, /data/servers/test/vda.img rw, Very nice. This is of course until you decide to update your system. And install a new apparmor, apparmor-profile or anything triggering service apparmor restart (efficiently unloading and reloading all apparmor profiles). This efficiently makes apparmor enforce the new policies on existing running applications. Unfortunately /usr/lib/libvirt/virt-aa-helper is no longer running, and more importantly no longer with the same UUID so the KVM security profiles are no longer enforced. For a system performing automatic security updates this is almost bound to happen. Example: # service apparmor restart * Reloading AppArmor profiles [ OK ] # apparmor_status apparmor module is loaded. 31 profiles are loaded. 31 profiles are in enforce mode. [...] 2 processes have profiles defined. 2 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) [...] Security is efficiently disabled. System information: Distributor ID: Ubuntu Description:Ubuntu 10.10 Release:10.10 Codename: maverick (Thank you launchpad/ubuntu-bugs for requiring referral headers, not saving my published information hence forcing me to rewrite the same bug report again. Frustration^2 of obscurity security. HTTPS and personal accounts should be way sufficient.) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/702774 Title: Update of AppArmor disables libvirtd dynamic profiles -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 702774] Re: Update of AppArmor disables libvirtd dynamic profiles
Did some additional research, and managed to re-load the existing profiles by executing: root:/etc/apparmor.d/libvirt# for i in $(ls | grep -v \.files | grep libvirt-); do apparmor_parser -a $i; done # apparmor_status apparmor module is loaded. 40 profiles are loaded. 40 profiles are in enforce mode. [...] libvirt-22119fd7-e5c4-20c8-7efe-e0fbb086e218 libvirt-27ddd6d3-01ec-85dd-3f3b-0f58cbff18fe libvirt-2d1c701b-d5ed-8524-4ef6-fbd12419d75e libvirt-51ef85f6-ce69-4788-9293-2af1860d45d0 libvirt-564dbb14-b9f2-4083-2b85-cd44e90ee5c6 libvirt-909b523f-78a6-01c2-8179-daebf72b9e1f libvirt-92d90b8b-b336-b73f-fb22-72a48d475445 libvirt-de951d50-6787-ec6a-754c-c5b39a2d7cd9 libvirt-ec24421d-1911-4b1b-09a8-0ece48901cb8 [...] However, attempting to apply these to an existing pid (according to wiki @ https://help.ubuntu.com/community/AppArmor) gives: root:/proc/23859/attr# cat current unconfined root:/proc/23859/attr# echo 'setprofile libvirt-27ddd6d3-01ec-85dd-3f3b-0f58cbff18fe' current -bash: echo: write error: Permission denied New machines shut down and relaunched after doing the service apparmor restart gets correctly confined: # apparmor_status [...] 3 processes have profiles defined. 3 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) libvirt-2d1c701b-d5ed-8524-4ef6-fbd12419d75e (11214) [...] # service apparmor restart [...] 2 processes are in enforce mode : /usr/sbin/libvirtd (1928) /usr/sbin/named (5018) [...] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/702774 Title: Update of AppArmor disables libvirtd dynamic profiles -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 152206] Re: Intel 965G (GMA X3000) - Video Tearing Effect Poor Performance
Although the non textured video playback works great with XV overlay, applications which use OpenGL as renderer (more specific; XBMC for linux which uses OpenGL via SDL) still shows tearing during video playback. I am looking to use a machine with intel gfx and XBMC linux as a HTPC, but those plans will probably not work out it seems :-) Resolution to get rid of tearing effects all in all? -- Intel 965G (GMA X3000) - Video Tearing Effect Poor Performance https://bugs.launchpad.net/bugs/152206 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 188732] Re: Blinking cursor can not be deactivated anymore
I 2nd that. I want the cursor to blink elsewhere but in the terminal it's just annoying. -- Blinking cursor can not be deactivated anymore https://bugs.launchpad.net/bugs/188732 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
