subject:"Bug#905339\: Some open operations are DENIED by AppArmor"

Bug#905339: Some open operations are DENIED by AppArmor

2018-08-11 Thread Haruki TSURUMOTO


Hi,

On 2018年08月04日 11:06, intrigeri wrote:

Control: tag -1 + moreinfo

Hi,

Haruki TSURUMOTO:


I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.

Indeed, the AppArmor policy for libvirt has been improved a lot since
Stretch, where it's far from being perfect.


Would you apply this patch for stretch?

(I'm not the libvirt maintainer but I work on AppArmor in Debian.)

I would happily work on backports for Stretch of fixes to user-visible
issues in the AppArmor policy. I probably won't have time to work on
fixes to issues that have no perceivable user impact apart of noise in
the logs. Could you please extract from your proposed patch the subset
that fits into the first category?

Cheers,


I am searching there are something user inconveniences.
libvirt collects host's resource for unknown reason.
IMO,  I think something user inconveniences is there.

Anyway, DENIED log was noisy for me.

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

2018-08-11 Thread Haruki TSURUMOTO


Hi, sorry for my late reply.

On 2018年08月03日 20:42, Guido Günther wrote:

Hi,
thanks. Some comments inline below:

On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote:

Hi,

On 2018年08月03日 19:58, Guido Günther wrote:

Hi,
On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:

Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
X-Debbugs-Cc:appar...@packages.debian.org

Dear maintainers, (CCed: apparmor-maintainers)

I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.
Please see below.

```
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
audit(1532950522.067:41): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
audit(1532950522.067:42): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
audit(1532950522.103:43): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
audit(1532950536.959:46): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
audit(1532950536.959:47): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
audit(1532950536.967:48): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
audit(1533009084.686:49): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=0
```

These policy conflicts were fixed in upstream.

I attached a patch which backported from these commit.
https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278

Would you apply this patch for stretch?

Can you provide debdiff for a fixed package?
   -- Guido

debdiff is here:

Is this a *tested* dediff?

Yes, I installed own build package, and tested it.

I attach new debdiff.
Is this qualifying for condition?
diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog
--- libvirt-3.0.0/debian/changelog	2018-03-13 03:11:51.0 +0900
+++ libvirt-3.0.0/debian/changelog	2018-08-03 21:53:49.0 +0900
@@ -1,3 +1,10 @@
+libvirt (3.0.0-4+deb9u4) stretch; urgency=medium
+
+  * apparmor: apply apparmor-allow-access-host-resources-and-cmdline.patch
+(Closes: #905339)
+
+ -- Haruki TSURUMOTO   Fri, 03 Aug 2018 21:53:49 +0900
+
 libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
 
   * gbp: switch branch to stretch
diff -Nru libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch
--- libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch	1970-01-01 09:00:00.0 +0900
+++ libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resources-and-cmdline.patch	2018-08-03 21:53:49.0 +0900
@@ -0,0 +1,25 @@
+Allow apparmor access host resources and process cmdline
+These policy conflicts were fixed in upstream.
+--- a/examples/apparmor/libvirt-qemu
 b/examples/apparmor/libvirt-qemu
+@@ -21,6 +21,10 @@
+   /dev/ptmx rw,
+   /dev/kqemu rw,
+   @{PROC}/*/status r,
++  # When qemu is signaled to terminate, it will read cmdline of signaling
++  # process for reporting purposes. Allowing read access to a process
++  # cmdline may leak sensitive information embedded in the cmdline.
++  @{PROC}/@{pid}/cmdline r,
+   # Per man(5) proc, the kernel enforces that a thread may
+   # only modify its comm value or those in its thread group.
+   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+@@ -152,3 +1

Bug#905339: Some open operations are DENIED by AppArmor

2018-08-03 Thread intrigeri

Control: tag -1 + moreinfo

Hi,

Haruki TSURUMOTO:

> I had enabled AppArmor on my debian stretch machine.
> I found some libvirt's open operations are DENIED by apparmor.

Indeed, the AppArmor policy for libvirt has been improved a lot since
Stretch, where it's far from being perfect.

> Would you apply this patch for stretch?

(I'm not the libvirt maintainer but I work on AppArmor in Debian.)

I would happily work on backports for Stretch of fixes to user-visible
issues in the AppArmor policy. I probably won't have time to work on
fixes to issues that have no perceivable user impact apart of noise in
the logs. Could you please extract from your proposed patch the subset
that fits into the first category?

Cheers,
-- 
intrigeri

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

2018-08-03 Thread Guido Günther

Hi,
thanks. Some comments inline below:

On Fri, Aug 03, 2018 at 08:23:21PM +0800, Haruki TSURUMOTO wrote:
> Hi,
> 
> On 2018年08月03日 19:58, Guido Günther wrote:
> > Hi,
> > On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:
> > > Package: libvirt-daemon-system
> > > Version: 3.0.0-4+deb9u3
> > > Severity: normal
> > > X-Debbugs-Cc: appar...@packages.debian.org
> > > 
> > > Dear maintainers, (CCed: apparmor-maintainers)
> > > 
> > > I had enabled AppArmor on my debian stretch machine.
> > > I found some libvirt's open operations are DENIED by apparmor.
> > > Please see below.
> > > 
> > > ```
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
> > > audit(1532950522.067:41): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
> > > audit(1532950522.067:42): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
> > > audit(1532950522.103:43): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
> > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 
> > > ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
> > > audit(1532950536.959:46): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
> > > audit(1532950536.959:47): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
> > > requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> > > Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
> > > audit(1532950536.967:48): apparmor="DENIED" operation="open"
> > > profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> > > name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
> > > comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 
> > > ouid=0
> > > Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
> > > audit(1533009084.686:49): apparmor="DENIED" operation="open"
> > > profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> > > name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" 
> > > requested_mask="r"
> > > denied_mask="r" fsuid=64055 ouid=0
> > > ```
> > > 
> > > These policy conflicts were fixed in upstream.
> > > 
> > > I attached a patch which backported from these commit.
> > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
> > > https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278
> > > 
> > > Would you apply this patch for stretch?
> > Can you provide debdiff for a fixed package?
> >   -- Guido
> debdiff is here:

Is this a *tested* dediff?

> ```
> diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog
> --- libvirt-3.0.0/debian/changelog    2018-03-13 03:11:51.0 +0900
> +++ libvirt-3.0.0/debian/changelog    2018-08-03 13:26:45.0 +0900
> @@ -1,3 +1,10 @@
> +libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * apparmor: Allow-access-host-resource-and-cmdline.patch

Closes: #xyz

> +
> + -- Haruki TSURUMOTO   Fri, 03 Aug 2018 13:26:45 +0900
> +
>  libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
> 
>    * gbp: switch branch to stretch
> diff -Nru 
> libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
>  
> libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> --- 
> libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> 1970-01-01 09:00:00.0 +0900
> +++ 
> libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
> 2018-08-03 13:26:45.0 +0900
> @@ -0,0 +1,25 @@
> +Allow apparmor access host resource and process cmdline

Allow apparmor access to host resources and process cmdline

> +These polociy conflicts were fixed in upstream.

Please add the links to the upstream commits here.

I'll try to squeeze this into a point release then.
Cheers,
 -- Guido

> +--- a/examples/apparmor/libvirt-qemu
>  b/examples/apparmor/libvirt-qemu
> +@@ -21,6 +21,10 @@
> +   /dev/ptmx rw,
> +

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

2018-08-03 Thread Haruki TSURUMOTO


Hi,

On 2018年08月03日 19:58, Guido Günther wrote:

Hi,
On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:

Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
X-Debbugs-Cc: appar...@packages.debian.org

Dear maintainers, (CCed: apparmor-maintainers)

I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.
Please see below.

```
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
audit(1532950522.067:41): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
audit(1532950522.067:42): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
audit(1532950522.103:43): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
audit(1532950536.959:46): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
audit(1532950536.959:47): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
audit(1532950536.967:48): apparmor="DENIED" operation="open"
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
audit(1533009084.686:49): apparmor="DENIED" operation="open"
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=64055 ouid=0
```

These policy conflicts were fixed in upstream.

I attached a patch which backported from these commit.
https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278

Would you apply this patch for stretch?

Can you provide debdiff for a fixed package?
  -- Guido

debdiff is here:
```
diff -Nru libvirt-3.0.0/debian/changelog libvirt-3.0.0/debian/changelog
--- libvirt-3.0.0/debian/changelog    2018-03-13 03:11:51.0 +0900
+++ libvirt-3.0.0/debian/changelog    2018-08-03 13:26:45.0 +0900
@@ -1,3 +1,10 @@
+libvirt (3.0.0-4+deb9u3.ownbuild) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * apparmor: Allow-access-host-resource-and-cmdline.patch
+
+ -- Haruki TSURUMOTO   Fri, 03 Aug 2018 13:26:45 +0900
+
 libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high

   * gbp: switch branch to stretch
diff -Nru 
libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 
libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch
--- 
libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 
1970-01-01 09:00:00.0 +0900
+++ 
libvirt-3.0.0/debian/patches/apparmor-allow-access-host-resource-and-cmdline.patch 
2018-08-03 13:26:45.0 +0900

@@ -0,0 +1,25 @@
+Allow apparmor access host resource and process cmdline
+These polociy conflicts were fixed in upstream.
+--- a/examples/apparmor/libvirt-qemu
 b/examples/apparmor/libvirt-qemu
+@@ -21,6 +21,10 @@
+   /dev/ptmx rw,
+   /dev/kqemu rw,
+   @{PROC}/*/status r,
++  # When qemu is signaled to terminate, it will read cmdline of signaling
++  # process for reporting purposes. Allowing read access to a process
++  # cmdline may leak sensitive information embedded in the cmdline.
++  @{PROC}/@{pid}/cmdline r,
+   # Per man(5) proc, the kernel enforces that a thread may
+   # only modify its comm value or those in its thread group.
+   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+@@ -152,3 +156,9 @@
+   /etc/udev/udev.conf r,
+   /sys/bus/ r,
+   /sys/class/ r,
++
++  # for gathering information about available host resources
++  /sys/devices/system/cpu/ r,
++  /sys/devices/system/node/ r,
++  /sys/devices/system/node/node[0-9]*/meminfo r,
++  /sys/module/vhost/parameters/max_mem_regions r,
d

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

2018-08-03 Thread Guido Günther

Hi,
On Fri, Aug 03, 2018 at 07:31:33PM +0800, Haruki TSURUMOTO wrote:
> Package: libvirt-daemon-system
> Version: 3.0.0-4+deb9u3
> Severity: normal
> X-Debbugs-Cc: appar...@packages.debian.org
> 
> Dear maintainers, (CCed: apparmor-maintainers)
> 
> I had enabled AppArmor on my debian stretch machine.
> I found some libvirt's open operations are DENIED by apparmor.
> Please see below.
> 
> ```
> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400
> audit(1532950522.067:41): apparmor="DENIED" operation="open"
> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400
> audit(1532950522.067:42): apparmor="DENIED" operation="open"
> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400
> audit(1532950522.103:43): apparmor="DENIED" operation="open"
> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> name="/sys/module/vhost/parameters/max_mem_regions" pid=1307
> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400
> audit(1532950536.959:46): apparmor="DENIED" operation="open"
> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400
> audit(1532950536.959:47): apparmor="DENIED" operation="open"
> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400
> audit(1532950536.967:48): apparmor="DENIED" operation="open"
> profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f"
> name="/sys/module/vhost/parameters/max_mem_regions" pid=1376
> comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
> Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400
> audit(1533009084.686:49): apparmor="DENIED" operation="open"
> profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506"
> name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r"
> denied_mask="r" fsuid=64055 ouid=0
> ```
> 
> These policy conflicts were fixed in upstream.
> 
> I attached a patch which backported from these commit.
> https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
> https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278
> 
> Would you apply this patch for stretch?

Can you provide debdiff for a fixed package?
 -- Guido

Bug#905339: Some open operations are DENIED by AppArmor

2018-08-03 Thread Haruki TSURUMOTO


Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
X-Debbugs-Cc: appar...@packages.debian.org

Dear maintainers, (CCed: apparmor-maintainers)

I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.
Please see below.

```
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400 
audit(1532950522.067:41): apparmor="DENIED" operation="open" 
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" 
name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400 
audit(1532950522.067:42): apparmor="DENIED" operation="open" 
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" 
name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400 
audit(1532950522.103:43): apparmor="DENIED" operation="open" 
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" 
name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400 
audit(1532950536.959:46): apparmor="DENIED" operation="open" 
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" 
name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400 
audit(1532950536.959:47): apparmor="DENIED" operation="open" 
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" 
name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400 
audit(1532950536.967:48): apparmor="DENIED" operation="open" 
profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" 
name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 
audit(1533009084.686:49): apparmor="DENIED" operation="open" 
profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" 
name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" 
requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

```

These policy conflicts were fixed in upstream.

I attached a patch which backported from these commit.
https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278

Would you apply this patch for stretch?

Regards,
Allow apparmor access host resource and process cmdline
These polociy conflicts were fixed in upstream.
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -21,6 +21,10 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
   # Per man(5) proc, the kernel enforces that a thread may
   # only modify its comm value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@@ -152,3 +156,9 @@
   /etc/udev/udev.conf r,
   /sys/bus/ r,
   /sys/class/ r,
+
+  # for gathering information about available host resources
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/node/ r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  /sys/module/vhost/parameters/max_mem_regions r,

Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: [Pkg-libvirt-maintainers] Bug#905339: Some open operations are DENIED by AppArmor

Bug#905339: Some open operations are DENIED by AppArmor

7 matches

Site Navigation

Mail list logo

Footer information