Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, sorry for my late reply. On 2018年08月03日 20:42, Guido Günther wrote: Hi, thanks. Some comments inline below: On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote: Hi, On 2018年08月03日 19:58, Guido Günther wrote: Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal X-Debbugs-Cc:appar...@packages.debian.org Dear maintainers, (CCed: apparmor-maintainers) I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Please see below. ``` Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 ``` These policy conflicts were fixed in upstream. I attached a patch which backported from these commit. https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido debdiff is here: Is this a *tested* dediff? Yes, I installed own build package, and tested it. I attach new debdiff. Is this qualifying for condition? diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 +++ libvirt-3.0.0/debian/changelog 2018-08-03 21:53:49.0 +0900 @@ -1,3 +1,10 @@ +libvirt (3.0.0-4+deb9u4) stretch; urgency=medium + + * apparmor: apply apparmor-allow-access-host-resources-and-cmdline.patch +(Closes: #905339) + + -- Haruki TSURUMOTO Fri, 03 Aug 2018 21:53:49 +0900 + libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high * gbp: switch branch to stretch diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch --- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch 1970-01-01 09:00:00.0 +0900 +++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch 2018-08-03 21:53:49.0 +0900 @@ -0,0 +1,25 @@ +Allow apparmor access host resources and process cmdline +These policy conflicts were fixed in upstream. +--- a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +@@ -21,6 +21,10 @@ + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, ++ # When qemu is signaled to terminate, it will read cmdline of signaling ++ # process for reporting purposes. Allowing read access to a process ++ # cmdline may leak sensitive information embedded in the cmdline. ++ @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, +@@ -152,3 +1
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, thanks. Some comments inline below: On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote: > Hi, > > On 2018年08月03日 19:58, Guido Günther wrote: > > Hi, > > On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: > > > Package: libvirt-daemon-system > > > Version: 3.0.0-4+deb9u3 > > > Severity: normal > > > X-Debbugs-Cc: appar...@packages.debian.org > > > > > > Dear maintainers, (CCed: apparmor-maintainers) > > > > > > I had enabled AppArmor on my debian stretch machine. > > > I found some libvirt's open operations are DENIED by apparmor. > > > Please see below. > > > > > > ``` > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 > > > audit(1532950522.067:41): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 > > > audit(1532950522.067:42): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 > > > audit(1532950522.103:43): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 > > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 > > > ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 > > > audit(1532950536.959:46): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 > > > audit(1532950536.959:47): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 > > > audit(1532950536.967:48): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 > > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 > > > ouid=0 > > > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 > > > audit(1533009084.686:49): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" > > > denied_mask="r" fsuid=64055 ouid=0 > > > ``` > > > > > > These policy conflicts were fixed in upstream. > > > > > > I attached a patch which backported from these commit. > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 > > > > > > Would you apply this patch for stretch? > > Can you provide debdiff for a fixed package? > > -- Guido > debdiff is here: Is this a *tested* dediff? > ``` > diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog > --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 > +++ libvirt-3.0.0/debian/changelog 2018-08-03 13:26:45.0 +0900 > @@ -1,3 +1,10 @@ > +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium > + > + * Non-maintainer upload. > + * apparmor: Allow-access-host-resource-and-cmdline.patch Closes: #xyz > + > + -- Haruki TSURUMOTO Fri, 03 Aug 2018 13:26:45 +0900 > + > libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high > > * gbp: switch branch to stretch > diff -Nru > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > --- > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > 1970-01-01 09:00:00.0 +0900 > +++ > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > 2018-08-03 13:26:45.0 +0900 > @@ -0,0 +1,25 @@ > +Allow apparmor access host resource and process cmdline Allow apparmor access to host resources and process cmdline > +These polociy conflicts were fixed in upstream. Please add the links to the upstream commits here. I'll try to squeeze this into a point release then. Cheers, -- Guido > +--- a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > +@@ -21,6 +21,10 @@ > + /dev/ptmx rw, > +
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, On 2018年08月03日 19:58, Guido Günther wrote: Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal X-Debbugs-Cc: appar...@packages.debian.org Dear maintainers, (CCed: apparmor-maintainers) I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Please see below. ``` Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 ``` These policy conflicts were fixed in upstream. I attached a patch which backported from these commit. https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido debdiff is here: ``` diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 +++ libvirt-3.0.0/debian/changelog 2018-08-03 13:26:45.0 +0900 @@ -1,3 +1,10 @@ +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * apparmor: Allow-access-host-resource-and-cmdline.patch + + -- Haruki TSURUMOTO Fri, 03 Aug 2018 13:26:45 +0900 + libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high * gbp: switch branch to stretch diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch --- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 1970-01-01 09:00:00.0 +0900 +++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 2018-08-03 13:26:45.0 +0900 @@ -0,0 +1,25 @@ +Allow apparmor access host resource and process cmdline +These polociy conflicts were fixed in upstream. +--- a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +@@ -21,6 +21,10 @@ + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, ++ # When qemu is signaled to terminate, it will read cmdline of signaling ++ # process for reporting purposes. Allowing read access to a process ++ # cmdline may leak sensitive information embedded in the cmdline. ++ @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, +@@ -152,3 +156,9 @@ + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, ++ ++ # for gathering information about available host resources ++ /sys/devices/system/cpu/ r, ++ /sys/devices/system/node/ r, ++ /sys/devices/system/node/node[0-9]*/meminfo r, ++ /sys/module/vhost/parameters/max_mem_regions r, d
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: > Package: libvirt-daemon-system > Version: 3.0.0-4+deb9u3 > Severity: normal > X-Debbugs-Cc: appar...@packages.debian.org > > Dear maintainers, (CCed: apparmor-maintainers) > > I had enabled AppArmor on my debian stretch machine. > I found some libvirt's open operations are DENIED by apparmor. > Please see below. > > ``` > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 > audit(1532950522.067:41): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 > audit(1532950522.067:42): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 > audit(1532950522.103:43): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 > audit(1532950536.959:46): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 > audit(1532950536.959:47): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 > audit(1532950536.967:48): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 > audit(1533009084.686:49): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" > denied_mask="r" fsuid=64055 ouid=0 > ``` > > These policy conflicts were fixed in upstream. > > I attached a patch which backported from these commit. > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 > > Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido