Issue statement --- The issue is the owerflow of the VM's apparmor (AA) profile when libvirt keeps updating the profile when device is dynamically added at runtile without checking for duplicates.
Issue analysis --- When a VM is created, libvirt creates an apparmor profile (/etc/apparmor.d/libvirt/libvirt-<uuid>) for the VM, this profile is composed of 2 parts: - *common*: abstractions/libvirt-qemu : common to all VMs, can be modified by admin. - VM*-specific*: /etc/apparmor.d/libvirt/libvirt-<uuid>.files : generated at VM start based on the VM XML defintion and modified at VM runtime to add additional rules needed for the VM to function (typical use case is when we attach dynamically a device to the VM). The overflow issue reported in this bug is related to the *VM-specific* part. To modify the *VM-specific* part, libvirt uses the helper program: /usr/lib/libvirt/virt-aa-helper by providing the VM XML configuration via stdin. As an example, when a network device is added into the VM (as reported in this bug), libvirt calls virt-aa-helper as follow: /usr/lib/libvirt/virt-aa-helper -r -u libvirt-<uuid> -F /dev/net/tun < <VM-XML> -r : replace the current profile (this is because the VM is running and the profile already exists) -u : the VM AA profile name -F : append the rule to the profile <VM-XML> : the VM XML definition is provided in stdin /usr/lib/libvirt/virt-aa-helper does not check if the AA entry already exists in the current profile and just adds the requested entry to the file, that is why, the AA profile might overflow after a bug number of similar operations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2120278 Title: Apparmor /dev/net/tun overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2120278/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
