[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
** Tags added: maverick -- virt-aa-helper generate incomplete apparmor profiles with chained backing files https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal: apport-collect 656173 When reporting bugs in the future please use apport, using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs. Please could you also provide details of how you created the .qcow2 files and how you created you virtual machine to use these files. This will help us reproduce your issue more accurately. -- virt-aa-helper generate incomplete apparmor profiles with chained backing files https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
I've been unable to re-produce this issue on either Lucid or Maverick although they do exhibit different behaviour. test.qcow2 - test_base.qcow2 - base/lenny_vase.qcow2 (sym link to lenny.qcow2) Lucid apparmor profile: /var/log/libvirt/**/test.log w, /var/lib/libvirt/**/test.monitor rw, /var/run/libvirt/**/test.pid rwk, /home/jamespage/vms/test_base.qcow2 rw, /home/jamespage/vms/base/lenny.qcow2 rw, /home/jamespage/vms/test.qcow2 rw, /home/jamespage/reference/isos/ubuntu-server/maverick-server-i386.iso r, # don't audit writes to readonly files deny /home/jamespage/reference/isos/ubuntu-server/maverick-server-i386.iso w, Maverick apparmor profile: /var/log/libvirt/**/test.log w, /var/lib/libvirt/**/test.monitor rw, /var/run/libvirt/**/test.pid rwk, /home/jamespage/vms/test.qcow2 rw, /dev/sr0 r, # don't audit writes to readonly files deny /dev/sr0 w, No apparmor messages in kern.log, and no impact on functionality. -- virt-aa-helper generate incomplete apparmor profiles with chained backing files https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
** Changed in: libvirt (Ubuntu) Status: New = Incomplete -- virt-aa-helper generate incomplete apparmor profiles with chained backing files https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
OK; I've now managed to re-produce the issue; It appears that virt-aa- helper only parses backing_files one level; in this case the full chain is two levels/three files, so the base qcow2 image is not included in the apparmor profile: /var/log/libvirt/**/test.log w, /var/lib/libvirt/**/test.monitor rw, /var/run/libvirt/**/test.pid rwk, /home/jamespage/vms/test.qcow2 rw, /home/jamespage/vms/test_base.qcow2 r, # don't audit writes to readonly files deny /home/jamespage/vms/test_base.qcow2 w, I incidentally found a potential bug in virt-install; it does not appear to recognise .qcow2 files and generates an xml definition with the disk type as raw. -- virt-aa-helper generate incomplete apparmor profiles with chained backing files https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
Enabling the 'allow_disk_format_probing = 1' in /etc/libvirt/qemu.conf and restarting libvirtd-bin re-instates the automated probing of backing_files in Maverick. ** Changed in: libvirt (Ubuntu) Status: Incomplete = Confirmed -- libvirt no longer probes chained backing stores https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 656173] Re: virt-aa-helper generate incomplete apparmor profiles with chained backing files
This behavior changed in libvirt 0.8.3 and the pending lucid-security libvirt update and is part of the fix for CVE-2010-2237, CVE-2010-2238 and CVE-2010-2239. From /etc/libvirt/qemu.conf: # If allow_disk_format_probing is enabled, libvirt will probe disk # images to attempt to identify their format, when not otherwise # specified in the XML. This is disabled by default. # # WARNING: Enabling probing is a security hole in almost all # deployments. It is strongly recommended that users update their # guest XML disk elements to include driver type=''/ # elements instead of enabling this option. # allow_disk_format_probing = 1 So people can either: 1. adjust /etc/apparmor.d/libvirt/libvirt-uuid to have the extra files 2. adjust /etc/libvirt/qemu.conf for the above The former is preferred for security reasons, but has to be done for each virtual machine. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2237 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2238 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-2239 ** Changed in: libvirt (Ubuntu) Status: Confirmed = Won't Fix -- libvirt no longer probes chained backing stores https://bugs.launchpad.net/bugs/656173 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
