Hi
Thanks a ton for looking into this. Oh sorry. I thought the bug
reporting tool was release specific. I see that is not the case. OK so
here is some responses to your requests for information:
1. Bionic Beaver
sbates@yoda:~$ uname -aLinux yoda 4.15.0-20-generic #21-Ubuntu SMP Tue
Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2. Package information:
sbates@yoda:~$ dpkg -l | grep libvirt*
ii gir1.2-libvirt-glib-1.0:amd64 1.0.0-1
amd64 GObject introspection files for
the libvirt-glib library
ii libvirt-bin 4.0.0-1ubuntu8.1
amd64 programs for the libvirt library
ii libvirt-clients 4.0.0-1ubuntu8.1
amd64 Programs for the libvirt library
ii libvirt-daemon 4.0.0-1ubuntu8.1
amd64 Virtualization daemon
ii libvirt-daemon-driver-storage-rbd 4.0.0-1ubuntu8.1
amd64 Virtualization daemon RBD storage
driver
ii libvirt-daemon-system 4.0.0-1ubuntu8.1
amd64 Libvirt daemon configuration files
ii libvirt-glib-1.0-0:amd64 1.0.0-1
amd64 libvirt GLib and GObject mapping
library
ii libvirt0:amd64 4.0.0-1ubuntu8.1
amd64 library for interfacing with
different virtualization systems
ii python-libvirt 4.0.0-1
amd64 libvirt Python bindings
sbates@yoda:~$ dpkg -l | grep qemu*
ii ipxe-qemu
1.0.0+git-20180124.fbe8c52d-0ubuntu2 all PXE boot
firmware - ROM images for qemu
ii ipxe-qemu-256k-compat-efi-roms
1.0.0+git-20150424.a25a16d-0ubuntu2 all PXE boot
firmware - Compat EFI ROM images for qemu
ii qemu-block-extra:amd64
1:2.11+dfsg-1ubuntu7.2 amd64 extra block
backend modules for qemu-system and qemu-utils
ii qemu-kvm
1:2.11+dfsg-1ubuntu7.2 amd64 QEMU Full
virtualization on x86 hardware
ii qemu-system-common
1:2.11+dfsg-1ubuntu7.2 amd64 QEMU full
system emulation binaries (common files)
ii qemu-system-x86
1:2.11+dfsg-1ubuntu7.2 amd64 QEMU full
system emulation binaries (x86)
ii qemu-utils
1:2.11+dfsg-1ubuntu7.2 amd64 QEMU
utilities
3. Guest XML.
<domain type='kvm' id='1'
xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
<name>athens</name>
<uuid>e61ed540-1288-4920-97b1-2bdce72ab394</uuid>
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>1048576</currentMemory>
<vcpu placement='static'>1</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-i440fx-bionic'>hvm</type>
<boot dev='hd'/>
<bootmenu enable='yes'/>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>Skylake-Client</model>
<feature policy='require' name='hypervisor'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/athens-1.qcow2'/>
<backingStore/>
<target dev='hda' bus='ide'/>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<alias name='usb'/>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'
multifunction='on'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<alias name='usb'/>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<alias name='usb'/>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'>
<alias name='pci.0'/>
</controller>
<controller type='ide' index='0'>
<alias name='ide'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:a3:f6:49'/>
<source bridge='virbr0'/>
<target dev='vnet0'/>
<model type='rtl8139'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/1'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/1'>
<source path='/dev/pts/1'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<input type='mouse' bus='ps2'>
<alias name='input0'/>
</input>
<input type='keyboard' bus='ps2'>
<alias name='input1'/>
</input>
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</source>
<alias name='hostdev0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
</hostdev>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
</memballoon>
</devices>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+64055:+128</label>
<imagelabel>+64055:+128</imagelabel>
</seclabel>
<qemu:commandline>
<qemu:arg value='-drive'/>
<qemu:arg
value='file=/var/lib/libvirt/images/nvme0.qcow2,if=none,id=nvme0,format=qcow2'/>
<qemu:arg value='-device'/>
<qemu:arg value='nvme,drive=nvme0,serial=nvme0,cmb_size_mb=0'/>
</qemu:commandline>
</domain>
4. Apparmor Profile - So this is where it gets odd. Even though dmesg
tells me the offending prodile is "libvirt-
e61ed540-1288-4920-97b1-2bdce72ab394" I don't seem to find a matching
file for that in /etc/apparmor.d/libvirt/.
[ 180.443069] audit: type=1400 audit(1527166238.184:62):
apparmor="DENIED" operation="open" profile="libvirt-
e61ed540-1288-4920-97b1-2bdce72ab394"
name="/var/lib/libvirt/images/nvme0.qcow2" pid=2826 comm="qemu-
system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
sbates@yoda:~$ virsh dominfo athens
Id: -
Name: athens
UUID: e61ed540-1288-4920-97b1-2bdce72ab394
OS Type: hvm
State: shut off
CPU(s): 1
Max memory: 1048576 KiB
Used memory: 1048576 KiB
Persistent: yes
Autostart: disable
Managed save: no
Security model: apparmor
Security DOI: 0
sbates@yoda:~$ ls -l /etc/apparmor.d/libvirt/
total 8
-rw-r--r-- 1 root root 342 Apr 24 03:09 TEMPLATE.lxc
-rw-r--r-- 1 root root 192 Apr 24 03:09 TEMPLATE.qemu
Note that this bug did not first occur when I installed Bionic Beaver so
it must be related to some package upgrade done in the last 2-3 weeks...
Thanks
Stephen
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1772936
Title:
Apparmor enforcment blocks image permissions in libvirtd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1772936/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
