Hi Christian, I was hoping for this to be SRU'ed to Xenial, when you have the time. I started filling the SRU justification but would appreciate your input for the regression potential section. Thanks.
** Description changed: - Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless - noise due to virt-aa-helper trying to read the backing device in the - host (/dev/zdX). Other host's devs are already denied in virt-aa- - helper's profile: + When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME + partition, Apparmor denial messages are logged due to virt-aa-helper + trying to access the volume/device. Those should be silenced as it's + already done for Logical Volumes. - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - /sys/bus/usb/devices/ r, - /sys/bus/usb/devices/** r, - deny /dev/sd* r, - deny /dev/dm-* r, - deny /dev/mapper/ r, - deny /dev/mapper/* r, + [Test Case] + 1) Create a KVM guest + 2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition + <disk type='block' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source dev='/dev/zvol/data/foo'/> + <target dev='vda' bus='virtio'/> + </disk> + 3) Start the guest + 4) Check dmesg for any Apparmor denials, there should be none with the patch + + *Without* the patch, one would see those (or similar) denials: + + audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" + operation="open" profile="/usr/lib/libvirt/virt-aa-helper" + name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" + denied_mask="r" fsuid=0 ouid=0 + + + [Regression Potential] + Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this. + + + [Original description] + Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile: + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/** r, + deny /dev/sd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, Adding "deny /dev/zd[0-9]* r," would silence Apparmor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1641618 Title: Apparmor denials caused by virt-aa-helper trying to read zvol devices (/dev/zdX) should be silenced To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
