@sgofferj
could you provide a .xml file for use in the test case in the
description?
** Changed in: libvirt (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: libvirt (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: libvirt (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: libvirt (Ubuntu Utopic)
Status: New => Confirmed
** Description changed:
+ ========================================================
+ Impact: sharing with a guest via 9p does not work
+ Regression potential: this debdiff only adds apparmor permissions which are
already being granted in vivid, so no regressions should be possible.
+ Test case: <Details>
+ ========================================================
+
I have an asterisk server running in a KVM and give it access to the storage
array of the host via 9p.
/etc/apparmor.d/abstractions/libvirt-qemu was missing the permissions for
capa fowner and capa fsetid which are necessary for full access to the shares
and which I fixed myself. Now, additionally, it seems that the helper for the
KVMs only sets r and w permissions for the 9p shares. For full access in this
case, also the link permission is needed. Manually adding the l flag to
/etc/apparmor.d/libvirt-qemu/<UUID>.files does NOT work. The permission
structure seems to be hardcoded in the source of the helper. Typical log entry:
Oct 7 19:04:14 nostromo kernel: [498751.395000] type=1400
audit(1412697854.669:203): apparmor="DENIED" operation="link" profile
="libvirt-d2719da3-1869-9cee-b02f-8d86458bbea2"
name="/storage/asterisk/spool/voicemail/default/1102/Old/.lock" pid=7775
comm="pool" requested_mask="l" denied_mask="l" fsuid=0 ouid=0
target="/storage/asterisk/spool/voicemail/default/1102/Old/.lock-
0fc30204"
Possible solutions:
a) Add l permission to the source of the helper
b) Un-hardcode the permissions set by the helper and make them configurable
through an /etc/default config or similar. This would be a preferable solution.
- ---
+ ---
AlsaDevices:
- total 0
- crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq
- crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer
+ total 0
+ crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq
+ crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
DistroRelease: Ubuntu 14.04
HibernationDevice: RESUME=UUID=28b31865-bf30-4c40-a9a6-32d44abec88b
InstallationDate: Installed on 2014-08-17 (50 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64
(20140722.3)
MachineType: ASUSTeK COMPUTER INC. P9D-V Series
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
Package: linux (not installed)
PciMultimedia:
-
+
ProcFB: 0 astdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-36-generic
root=UUID=c61299e4-1f7f-4807-aff6-0a3b4028b88c ro
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
RelatedPackageVersions:
- linux-restricted-modules-3.13.0-36-generic N/A
- linux-backports-modules-3.13.0-36-generic N/A
- linux-firmware 1.127.7
+ linux-restricted-modules-3.13.0-36-generic N/A
+ linux-backports-modules-3.13.0-36-generic N/A
+ linux-firmware 1.127.7
RfKill: Error: [Errno 2] No such file or directory
Tags: trusty
Uname: Linux 3.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
-
+
_MarkForUpload: True
dmi.bios.date: 11/13/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0601
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: P9D-V Series
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 17
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvr0601:bd11/13/2013:svnASUSTeKCOMPUTERINC.:pnP9D-VSeries:pvrRev1.xx:rvnASUSTeKCOMPUTERINC.:rnP9D-VSeries:rvrRev1.xx:cvnToBeFilledByO.E.M.:ct17:cvrToBeFilledByO.E.M.:
dmi.product.name: P9D-V Series
dmi.product.version: Rev 1.xx
dmi.sys.vendor: ASUSTeK COMPUTER INC.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1378434
Title:
14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1378434/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
