Public bug reported:
If a guest uses a .qcow2 with more than one level of stacking, the
Apparmor policy for the guest only authorizes access to the first
backend file.
The guest uses this drive:
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='writethrough'/>
<source file='/var/lib/libvirt/images/alice.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
Here, the alice.qcow2 file is backed by root.qcow2 which is then backed
by debian-jessie-amd64.qcow2:
# qemu-img info /var/lib/libvirt/images/alice.qcow2
image: /var/lib/libvirt/images/alice.qcow2
file format: qcow2
virtual size: 1.2G (1342177280 bytes)
disk size: 4.9M
cluster_size: 65536
backing file: /btmp/mcr/openswan-testing/build/images/root.qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
# qemu-img info /btmp/mcr/openswan-testing/build/images/root.qcow2
image: /btmp/mcr/openswan-testing/build/images/root.qcow2
file format: qcow2
virtual size: 1.2G (1342177280 bytes)
disk size: 22M
cluster_size: 65536
backing file: /btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2
Format specific information:
compat: 1.1
lazy refcounts: false
# qemu-img info
/btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2
image: /btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2
file format: qcow2
virtual size: 1.2G (1342177280 bytes)
disk size: 1.0G
cluster_size: 65536
Format specific information:
compat: 1.1
lazy refcounts: false
The problem is that the autogenerated libvirt-UUID.files doesn't include the
last backend file:
# grep qcow2
/etc/apparmor.d/libvirt/libvirt-1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9.files
"/btmp/mcr/openswan-testing/build/images/alice.qcow2" rw,
"/btmp/mcr/openswan-testing/build/images/root.qcow2" r,
deny "/btmp/mcr/openswan-testing/build/images/root.qcow2" w,
Additional information from the affected machine:
# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
# apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10.95-0ubuntu2.5~14.04.1
Candidate: 2.10.95-0ubuntu2.5~14.04.1
Version table:
*** 2.10.95-0ubuntu2.5~14.04.1 0
500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
2.8.95~2430-0ubuntu5 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
libvirt-bin:
Installed: 1.2.2-0ubuntu13.1.17
Candidate: 1.2.2-0ubuntu13.1.17
Version table:
*** 1.2.2-0ubuntu13.1.17 0
500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.2.2-0ubuntu13.1.16 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
1.2.2-0ubuntu13 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libvirt-bin 1.2.2-0ubuntu13.1.17
ProcVersionSignature: Ubuntu 4.4.0-47.68~14.04.1-generic 4.4.24
Uname: Linux 4.4.0-47-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.23
Architecture: amd64
Date: Fri Jan 20 15:48:30 2017
InstallationDate: Installed on 2015-09-10 (498 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64
(20150218.1)
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.libvirt.TEMPLATE: [modified]
mtime.conffile..etc.apparmor.d.libvirt.TEMPLATE: 2017-01-20T15:41:07.565194
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apparmor apport-bug trusty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658198
Title:
multi-level stacked qcow2 files are not properly handled in Apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1658198/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
