Bug#905339: Some open operations are DENIED by AppArmor
Hi, On 2018年08月04日 11:06, intrigeri wrote: Control: tag -1 + moreinfo Hi, Haruki TSURUMOTO: I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Indeed, the AppArmor policy for libvirt has been improved a lot since Stretch, where it's far from being perfect. Would you apply this patch for stretch? (I'm not the libvirt maintainer but I work on AppArmor in Debian.) I would happily work on backports for Stretch of fixes to user-visible issues in the AppArmor policy. I probably won't have time to work on fixes to issues that have no perceivable user impact apart of noise in the logs. Could you please extract from your proposed patch the subset that fits into the first category? Cheers, I am searching there are something user inconveniences. libvirt collects host's resource for unknown reason. IMO, I think something user inconveniences is there. Anyway, DENIED log was noisy for me.
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, sorry for my late reply. On 2018年08月03日 20:42, Guido Günther wrote: Hi, thanks. Some comments inline below: On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote: Hi, On 2018年08月03日 19:58, Guido Günther wrote: Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal X-Debbugs-Cc:appar...@packages.debian.org Dear maintainers, (CCed: apparmor-maintainers) I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Please see below. ``` Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 ``` These policy conflicts were fixed in upstream. I attached a patch which backported from these commit. https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido debdiff is here: Is this a *tested* dediff? Yes, I installed own build package, and tested it. I attach new debdiff. Is this qualifying for condition? diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 +++ libvirt-3.0.0/debian/changelog 2018-08-03 21:53:49.0 +0900 @@ -1,3 +1,10 @@ +libvirt (3.0.0-4+deb9u4) stretch; urgency=medium + + * apparmor: apply apparmor-allow-access-host-resources-and-cmdline.patch +(Closes: #905339) + + -- Haruki TSURUMOTO Fri, 03 Aug 2018 21:53:49 +0900 + libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high * gbp: switch branch to stretch diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch --- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch 1970-01-01 09:00:00.0 +0900 +++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch 2018-08-03 21:53:49.0 +0900 @@ -0,0 +1,25 @@ +Allow apparmor access host resources and process cmdline +These policy conflicts were fixed in upstream. +--- a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +@@ -21,6 +21,10 @@ + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, ++ # When qemu is signaled to terminate, it will read cmdline of signaling ++ # process for reporting purposes. Allowing read access to a process ++ # cmdline may leak sensitive information embedded in the cmdline. ++ @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, +@@ -152,3 +1
Bug#905339: Some open operations are DENIED by AppArmor
Control: tag -1 + moreinfo Hi, Haruki TSURUMOTO: > I had enabled AppArmor on my debian stretch machine. > I found some libvirt's open operations are DENIED by apparmor. Indeed, the AppArmor policy for libvirt has been improved a lot since Stretch, where it's far from being perfect. > Would you apply this patch for stretch? (I'm not the libvirt maintainer but I work on AppArmor in Debian.) I would happily work on backports for Stretch of fixes to user-visible issues in the AppArmor policy. I probably won't have time to work on fixes to issues that have no perceivable user impact apart of noise in the logs. Could you please extract from your proposed patch the subset that fits into the first category? Cheers, -- intrigeri
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, thanks. Some comments inline below: On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote: > Hi, > > On 2018年08月03日 19:58, Guido Günther wrote: > > Hi, > > On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: > > > Package: libvirt-daemon-system > > > Version: 3.0.0-4+deb9u3 > > > Severity: normal > > > X-Debbugs-Cc: appar...@packages.debian.org > > > > > > Dear maintainers, (CCed: apparmor-maintainers) > > > > > > I had enabled AppArmor on my debian stretch machine. > > > I found some libvirt's open operations are DENIED by apparmor. > > > Please see below. > > > > > > ``` > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 > > > audit(1532950522.067:41): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 > > > audit(1532950522.067:42): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 > > > audit(1532950522.103:43): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 > > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 > > > ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 > > > audit(1532950536.959:46): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 > > > audit(1532950536.959:47): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" > > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 > > > audit(1532950536.967:48): apparmor="DENIED" operation="open" > > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 > > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 > > > ouid=0 > > > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 > > > audit(1533009084.686:49): apparmor="DENIED" operation="open" > > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > > > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" > > > requested_mask="r" > > > denied_mask="r" fsuid=64055 ouid=0 > > > ``` > > > > > > These policy conflicts were fixed in upstream. > > > > > > I attached a patch which backported from these commit. > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 > > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 > > > > > > Would you apply this patch for stretch? > > Can you provide debdiff for a fixed package? > > -- Guido > debdiff is here: Is this a *tested* dediff? > ``` > diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog > --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 > +++ libvirt-3.0.0/debian/changelog 2018-08-03 13:26:45.0 +0900 > @@ -1,3 +1,10 @@ > +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium > + > + * Non-maintainer upload. > + * apparmor: Allow-access-host-resource-and-cmdline.patch Closes: #xyz > + > + -- Haruki TSURUMOTO Fri, 03 Aug 2018 13:26:45 +0900 > + > libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high > > * gbp: switch branch to stretch > diff -Nru > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > --- > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > 1970-01-01 09:00:00.0 +0900 > +++ > libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch > 2018-08-03 13:26:45.0 +0900 > @@ -0,0 +1,25 @@ > +Allow apparmor access host resource and process cmdline Allow apparmor access to host resources and process cmdline > +These polociy conflicts were fixed in upstream. Please add the links to the upstream commits here. I'll try to squeeze this into a point release then. Cheers, -- Guido > +--- a/examples/apparmor/libvirt-qemu > b/examples/apparmor/libvirt-qemu > +@@ -21,6 +21,10 @@ > + /dev/ptmx rw, > +
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, On 2018年08月03日 19:58, Guido Günther wrote: Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal X-Debbugs-Cc: appar...@packages.debian.org Dear maintainers, (CCed: apparmor-maintainers) I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Please see below. ``` Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 ``` These policy conflicts were fixed in upstream. I attached a patch which backported from these commit. https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido debdiff is here: ``` diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog --- libvirt-3.0.0/debian/changelog 2018-03-13 03:11:51.0 +0900 +++ libvirt-3.0.0/debian/changelog 2018-08-03 13:26:45.0 +0900 @@ -1,3 +1,10 @@ +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * apparmor: Allow-access-host-resource-and-cmdline.patch + + -- Haruki TSURUMOTO Fri, 03 Aug 2018 13:26:45 +0900 + libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high * gbp: switch branch to stretch diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch --- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 1970-01-01 09:00:00.0 +0900 +++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 2018-08-03 13:26:45.0 +0900 @@ -0,0 +1,25 @@ +Allow apparmor access host resource and process cmdline +These polociy conflicts were fixed in upstream. +--- a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +@@ -21,6 +21,10 @@ + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, ++ # When qemu is signaled to terminate, it will read cmdline of signaling ++ # process for reporting purposes. Allowing read access to a process ++ # cmdline may leak sensitive information embedded in the cmdline. ++ @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, +@@ -152,3 +156,9 @@ + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, ++ ++ # for gathering information about available host resources ++ /sys/devices/system/cpu/ r, ++ /sys/devices/system/node/ r, ++ /sys/devices/system/node/node[0-9]*/meminfo r, ++ /sys/module/vhost/parameters/max_mem_regions r, d
Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor
Hi, On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote: > Package: libvirt-daemon-system > Version: 3.0.0-4+deb9u3 > Severity: normal > X-Debbugs-Cc: appar...@packages.debian.org > > Dear maintainers, (CCed: apparmor-maintainers) > > I had enabled AppArmor on my debian stretch machine. > I found some libvirt's open operations are DENIED by apparmor. > Please see below. > > ``` > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 > audit(1532950522.067:41): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 > audit(1532950522.067:42): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 > audit(1532950522.103:43): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 > audit(1532950536.959:46): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 > audit(1532950536.959:47): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 > audit(1532950536.967:48): apparmor="DENIED" operation="open" > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 > audit(1533009084.686:49): apparmor="DENIED" operation="open" > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" > denied_mask="r" fsuid=64055 ouid=0 > ``` > > These policy conflicts were fixed in upstream. > > I attached a patch which backported from these commit. > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 > > Would you apply this patch for stretch? Can you provide debdiff for a fixed package? -- Guido
Bug#905339: Some open operations are DENIED by AppArmor
Package: libvirt-daemon-system Version: 3.0.0-4+deb9u3 Severity: normal X-Debbugs-Cc: appar...@packages.debian.org Dear maintainers, (CCed: apparmor-maintainers) I had enabled AppArmor on my debian stretch machine. I found some libvirt's open operations are DENIED by apparmor. Please see below. ``` Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [ 39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [ 54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 ``` These policy conflicts were fixed in upstream. I attached a patch which backported from these commit. https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186 https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278 Would you apply this patch for stretch? Regards, Allow apparmor access host resource and process cmdline These polociy conflicts were fixed in upstream. --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -21,6 +21,10 @@ /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, # Per man(5) proc, the kernel enforces that a thread may # only modify its comm value or those in its thread group. owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -152,3 +156,9 @@ /etc/udev/udev.conf r, /sys/bus/ r, /sys/class/ r, + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r,