[Bug 1905674] [NEW] libvirt snapshots specifying --memspec need apparmor support

Wed, 25 Nov 2020 23:20:53 -0800 

Public bug reported:

In a similar way as we found in bug 1845506 that multiple disks can kill
the rules for each other the rarely used snapshot option --memspec has
issues as well.

If used the flow reaches access to the disks before rules are added (maybe none 
are added for memspec, but the failing one is on the actual snapshot, which 
works without --memspec.
So a rule that would be created isn't in this case at the time access starts.

Repro:
#1 get a guest
$ uvt-kvm create --host-passthrough --password=ubuntu h-test release=hirsute 
arch=amd64 label=daily
# get rid of secondary disk (otherwise we'd need to back that up as well)
$ virsh detach-disk h-test vdb
$ virsh snapshot-create-as --domain h-test --name h-test-snap --diskspec 
vda,snapshot=external,file=/var/lib/uvtool/libvirt/images/h-test.qcow.snapshot 
--memspec snapshot=external,file=/var/lib/uvtool/libvirt/images/h-test2.mem 
--print-xml


Denial:
[3006813.872572] audit: type=1400 audit(1606374248.321:6198): apparmor="DENIED" 
operation="open" namespace="root//lxd-f_<var-snap-lxd-common-lxd>" 
profile="libvirt-8f8dce51-0abb-470f-a5b1-dd11393cc0c8" 
name="/var/lib/uvtool/libvirt/images/h-test2.qcow.snapshot" pid=1014838 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=64055

IMHO this is super uncommon (exists for years and had no report yet),
but if one is affected you'd need to add an override either for all
guests (/etc/apparmor.d/local/abstractions/libvirt-qemu) or an
individual guest (/etc/apparmor.d/libvirt/libvirt-<uuid>)

Due to that prio is IMHO low, but this bug shall help if people search
the net for it and be a place to chime in outlining why this use-case is
more important than we think atm.

** Affects: libvirt (Ubuntu)
     Importance: Low
         Status: Confirmed

** Changed in: libvirt (Ubuntu)
   Importance: Undecided => Low

** Changed in: libvirt (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905674

Title:
  libvirt snapshots specifying --memspec need apparmor support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1905674/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to