** Description changed: If a guest uses a .qcow2 with more than one level of stacking, the Apparmor policy for the guest only authorizes access to the first backend file. The guest uses this drive: - <disk type='file' device='disk'> - <driver name='qemu' type='qcow2' cache='writethrough'/> - <source file='/var/lib/libvirt/images/alice.qcow2'/> - <target dev='vda' bus='virtio'/> - </disk> + <disk type='file' device='disk'> + <driver name='qemu' type='qcow2' cache='writethrough'/> + <source file='/var/lib/libvirt/images/alice.qcow2'/> + <target dev='vda' bus='virtio'/> + </disk> Here, the alice.qcow2 file is backed by root.qcow2 which is then backed by debian-jessie-amd64.qcow2: # qemu-img info /var/lib/libvirt/images/alice.qcow2 image: /var/lib/libvirt/images/alice.qcow2 file format: qcow2 virtual size: 1.2G (1342177280 bytes) disk size: 4.9M cluster_size: 65536 backing file: /btmp/mcr/openswan-testing/build/images/root.qcow2 Format specific information: - compat: 1.1 - lazy refcounts: false + compat: 1.1 + lazy refcounts: false # qemu-img info /btmp/mcr/openswan-testing/build/images/root.qcow2 image: /btmp/mcr/openswan-testing/build/images/root.qcow2 file format: qcow2 virtual size: 1.2G (1342177280 bytes) disk size: 22M cluster_size: 65536 backing file: /btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2 Format specific information: - compat: 1.1 - lazy refcounts: false + compat: 1.1 + lazy refcounts: false # qemu-img info /btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2 image: /btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2 file format: qcow2 virtual size: 1.2G (1342177280 bytes) disk size: 1.0G cluster_size: 65536 Format specific information: - compat: 1.1 - lazy refcounts: false + compat: 1.1 + lazy refcounts: false + The problem is that the autogenerated libvirt-UUID.files doesn't include + the last backend file: - The problem is that the autogenerated libvirt-UUID.files doesn't include the last backend file: + # grep qcow2 /etc/apparmor.d/libvirt/libvirt-1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9.files + "/btmp/mcr/openswan-testing/build/images/alice.qcow2" rw, + "/btmp/mcr/openswan-testing/build/images/root.qcow2" r, + deny "/btmp/mcr/openswan-testing/build/images/root.qcow2" w, - # grep qcow2 /etc/apparmor.d/libvirt/libvirt-1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9.files - "/btmp/mcr/openswan-testing/build/images/alice.qcow2" rw, - "/btmp/mcr/openswan-testing/build/images/root.qcow2" r, - deny "/btmp/mcr/openswan-testing/build/images/root.qcow2" w, + Which is confirmed by those denial logs: + + audit: type=1400 audit(1484945935.609:81): apparmor="DENIED" + operation="open" profile="libvirt-1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9" + name="/btmp/mcr/openswan-testing/build/images/debian-jessie-amd64.qcow2" + pid=18037 comm="qemu-system-x86" requested_mask="r" denied_mask="r" + fsuid=109 ouid=109 Additional information from the affected machine: # lsb_release -rd Description: Ubuntu 14.04.5 LTS Release: 14.04 # apt-cache policy apparmor libvirt-bin apparmor: - Installed: 2.10.95-0ubuntu2.5~14.04.1 - Candidate: 2.10.95-0ubuntu2.5~14.04.1 - Version table: - *** 2.10.95-0ubuntu2.5~14.04.1 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 2.8.95~2430-0ubuntu5.1 0 - 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages - 2.8.95~2430-0ubuntu5 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + Installed: 2.10.95-0ubuntu2.5~14.04.1 + Candidate: 2.10.95-0ubuntu2.5~14.04.1 + Version table: + *** 2.10.95-0ubuntu2.5~14.04.1 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 2.8.95~2430-0ubuntu5.1 0 + 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages + 2.8.95~2430-0ubuntu5 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages libvirt-bin: - Installed: 1.2.2-0ubuntu13.1.17 - Candidate: 1.2.2-0ubuntu13.1.17 - Version table: - *** 1.2.2-0ubuntu13.1.17 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 1.2.2-0ubuntu13.1.16 0 - 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages - 1.2.2-0ubuntu13 0 - 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages + Installed: 1.2.2-0ubuntu13.1.17 + Candidate: 1.2.2-0ubuntu13.1.17 + Version table: + *** 1.2.2-0ubuntu13.1.17 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 1.2.2-0ubuntu13.1.16 0 + 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages + 1.2.2-0ubuntu13 0 + 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: libvirt-bin 1.2.2-0ubuntu13.1.17 ProcVersionSignature: Ubuntu 4.4.0-47.68~14.04.1-generic 4.4.24 Uname: Linux 4.4.0-47-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.23 Architecture: amd64 Date: Fri Jan 20 15:48:30 2017 InstallationDate: Installed on 2015-09-10 (498 days ago) InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) ProcEnviron: - LANGUAGE=en_CA:en - TERM=xterm - PATH=(custom, no user) - LANG=en_CA.UTF-8 - SHELL=/bin/bash + LANGUAGE=en_CA:en + TERM=xterm + PATH=(custom, no user) + LANG=en_CA.UTF-8 + SHELL=/bin/bash SourcePackage: libvirt UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.apparmor.d.libvirt.TEMPLATE: [modified] mtime.conffile..etc.apparmor.d.libvirt.TEMPLATE: 2017-01-20T15:41:07.565194
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658198 Title: multi-level stacked qcow2 files are not properly handled in Apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1658198/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
