** Description changed: ======================================================== Impact: sharing with a guest via 9p does not work Regression potential: this debdiff only adds apparmor permissions which are already being granted in vivid, so no regressions should be possible. - Test case: <Details> + Test case: Create a VM with a section like: + + <filesystem type='mount' accessmode='passthrough'> + <source dir='/home/ubuntu'/> + <target dir='hostubuntu'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/> + </filesystem> + + (see comment below for a complete example) and try linking. ======================================================== I have an asterisk server running in a KVM and give it access to the storage array of the host via 9p. /etc/apparmor.d/abstractions/libvirt-qemu was missing the permissions for capa fowner and capa fsetid which are necessary for full access to the shares and which I fixed myself. Now, additionally, it seems that the helper for the KVMs only sets r and w permissions for the 9p shares. For full access in this case, also the link permission is needed. Manually adding the l flag to /etc/apparmor.d/libvirt-qemu/<UUID>.files does NOT work. The permission structure seems to be hardcoded in the source of the helper. Typical log entry: Oct 7 19:04:14 nostromo kernel: [498751.395000] type=1400 audit(1412697854.669:203): apparmor="DENIED" operation="link" profile ="libvirt-d2719da3-1869-9cee-b02f-8d86458bbea2" name="/storage/asterisk/spool/voicemail/default/1102/Old/.lock" pid=7775 comm="pool" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 target="/storage/asterisk/spool/voicemail/default/1102/Old/.lock- 0fc30204" Possible solutions: a) Add l permission to the source of the helper b) Un-hardcode the permissions set by the helper and make them configurable through an /etc/default config or similar. This would be a preferable solution. --- AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer AplayDevices: Error: [Errno 2] No such file or directory ApportVersion: 2.14.1-0ubuntu3.4 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: [Errno 2] No such file or directory DistroRelease: Ubuntu 14.04 HibernationDevice: RESUME=UUID=28b31865-bf30-4c40-a9a6-32d44abec88b InstallationDate: Installed on 2014-08-17 (50 days ago) InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3) MachineType: ASUSTeK COMPUTER INC. P9D-V Series NonfreeKernelModules: zfs zunicode zavl zcommon znvpair Package: linux (not installed) PciMultimedia: ProcFB: 0 astdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-36-generic root=UUID=c61299e4-1f7f-4807-aff6-0a3b4028b88c ro ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6 RelatedPackageVersions: linux-restricted-modules-3.13.0-36-generic N/A linux-backports-modules-3.13.0-36-generic N/A linux-firmware 1.127.7 RfKill: Error: [Errno 2] No such file or directory Tags: trusty Uname: Linux 3.13.0-36-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: _MarkForUpload: True dmi.bios.date: 11/13/2013 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 0601 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: P9D-V Series dmi.board.vendor: ASUSTeK COMPUTER INC. dmi.board.version: Rev 1.xx dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 17 dmi.chassis.vendor: To Be Filled By O.E.M. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0601:bd11/13/2013:svnASUSTeKCOMPUTERINC.:pnP9D-VSeries:pvrRev1.xx:rvnASUSTeKCOMPUTERINC.:rnP9D-VSeries:rvrRev1.xx:cvnToBeFilledByO.E.M.:ct17:cvrToBeFilledByO.E.M.: dmi.product.name: P9D-V Series dmi.product.version: Rev 1.xx dmi.sys.vendor: ASUSTeK COMPUTER INC.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1378434 Title: 14.04: libvirt-qemu/apparmor: missing permissions for 9p shares To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1378434/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
