[Bug 1658275] [NEW] libvirtd regression after update to 1.3.1-1ubuntu10.6 - AppArmor now denies access to ~/.*

Mike Pontillo Fri, 20 Jan 2017 21:56:33 -0800

Public bug reported:

It seems there is something [relatively] new in the libvirt-bin AppArmor
profile which is causing a regression for me. I looked at the diffs on
Launchpad to try to figure out what version introduced the regression,
but it's missing diffs between -ubuntu10 and -ubuntu10.5, so I can't be
sure. (And I can't trust my apt logs because I don't know when I might
have updated libvirt, but not restarted  my test VM.)


Background: I have a test utility that downloads cloud images to
~/.cloud-images. I previously had /some/ trouble with doing this, in
that I had to set filesystem ACLs on them so that libvirt-qemu:kvm could
access them. But now it fails completely, and in my syslog I now see:

Jan 20 21:12:36 ubuntu kernel: [ 2850.997411] audit: type=1400 
audit(1484975556.766:233): apparmor="DENIED" operation="open" 
profile="/usr/lib/libvirt/virt-aa-helper" 
name="/home/mpontillo/.cloud-images/maas-config.iso" pid=10007 
comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=124
Jan 20 21:12:36 ubuntu kernel: [ 2851.095051] audit: type=1400 
audit(1484975556.862:234): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-a745b010-a125-480e-a29a-3f0cfc5cf4bf" 
pid=10009 comm="apparmor_parser"
Jan 20 21:12:36 ubuntu kernel: [ 2851.105592] audit: type=1400 
audit(1484975556.874:235): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" 
name="libvirt-a745b010-a125-480e-a29a-3f0cfc5cf4bf//qemu_bridge_helper" 
pid=10009 comm="apparmor_parser"

When I tried to start my VM, I saw the following error:

$ virsh start maas
error: Failed to start domain maas
error: internal error: process exited while connecting to monitor: 
2017-01-21T04:55:51.659022Z qemu-system-x86_64: -drive 
file=/home/mpontillo/.cloud-images/maas.img,format=qcow2,if=none,id=drive-ide0-0-0:
 Could not open backing file: Could not open 
'/home/mpontillo/.cloud-images/88dbe2e0a9ea89acae808aac88fa5af25affdd91837d27ba0273f87ed1b07707.baseimg':
 Permission denied

As a side effect, this also caused a nasty segfault in libvirtd via a
realloc() call; I saw a backtrace in my syslog for that as follows:

Jan 20 20:58:21 ubuntu libvirtd[4808]: *** Error in `/usr/sbin/libvirtd': 
realloc(): invalid next size: 0x00007f011c0243c0 ***
Jan 20 20:58:21 ubuntu libvirtd[4808]: ======= Backtrace: =========
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f015fad67e5]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/lib/x86_64-linux-gnu/libc.so.6(+0x82a5a)[0x7f015fae1a5a]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/lib/x86_64-linux-gnu/libc.so.6(realloc+0x179)[0x7f015fae2c89]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(virReallocN+0x43)[0x7f01604b02f3]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(+0x7d0f9)[0x7f0138eed0f9]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(+0x7d450)[0x7f0138eed450]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessLaunch+0x19a8)[0x7f0138ef1548]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessStart+0x1db)[0x7f0138ef491b]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(+0xdce0e)[0x7f0138f4ce0e]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so(+0xdd506)[0x7f0138f4d506]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(virDomainCreate+0xef)[0x7f01605bb58f]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/sbin/libvirtd(+0x3ad9b)[0x560971066d9b]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(virNetServerProgramDispatch+0x3c9)[0x7f016061dd49]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(+0x1cd258)[0x7f0160619258]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(+0xc44a6)[0x7f01605104a6]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/usr/lib/x86_64-linux-gnu/libvirt.so.0(+0xc3a28)[0x7f016050fa28]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f015fe2f6ba]
Jan 20 20:58:21 ubuntu libvirtd[4808]: 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f015fb6582d]


I'm running on Xenial with the latest from -updates, though I also tried the 
libvirt packages in -proposed.

# apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 1.3.1-1ubuntu10.6
  Candidate: 1.3.1-1ubuntu10.6
  Version table:
 *** 1.3.1-1ubuntu10.6 500
        500 http://192.168.122.218/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.3.1-1ubuntu10 500
        500 http://192.168.122.218/ubuntu xenial/main amd64 Packages

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:        16.04
Codename:       xenial

As a workaround, I commented out the following lines in
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:

  # audit deny @{HOME}/.* mrwkl,
  # audit deny @{HOME}/.*/ rw,
  # audit deny @{HOME}/.*/** mrwkl,

After I did that (and did a `service apparmor reload`) I could start my
test VM again.

I suppose I should change my test utilities and process to avoid hidden
files in my $HOME, but I wonder if "non-hidden files in $HOME" is a bit
arbitrary, given that I already have to jump through hoops to allow
libvirt to access the files.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.6
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Fri Jan 20 21:01:15 2017
InstallationDate: Installed on 2016-05-13 (252 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
mtime.conffile..etc.libvirt.qemu.networks.default.xml: 
2017-01-20T19:13:47.032531

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apparmor apport-bug xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658275

Title:
  libvirtd regression after update to 1.3.1-1ubuntu10.6 - AppArmor now
  denies access to ~/.*

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1658275/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1658275] [NEW] libvirtd regression after update to 1.3.1-1ubuntu10.6 - AppArmor now denies access to ~/.*

Reply via email to