** Description changed: + [ Impact ] + + * libvirt calls virt-aa-helper (with argument -F) + to append a new rule to the apparmor profile of the VM. + virt-aa-helper does not check for duplicate and blindly + appends the rule to the profile. since there is no rule + removal when a device is detached, this can make the + profile grow in size and even hit the size limit + + * Backport the upstream patch that checks and does + not add duplicates over and over again + + [ Test Plan ] + + Create a guest via libvirt/kvm, for example with uvtool + + $ uvt-kvm create --password=ubuntu q2 arch=amd64 label=daily + release=questing + + Create a network device definition for libvirt in a file + + $ cat net-add-test.xml + <interface type='network'> + <source network='default' bridge='virbr0'/> + <target dev='vnet1'/> + <model type='virtio'/> + <alias name='net1'/> + </interface> + + Attach and detach that over and over like: + + $ for i in $(seq 1 10); do virsh attach-device q2 net-add-test.xml; + sleep 1; virsh detach-device q2 net-add-test.xml; done + + Get the UUID of the guest + + $ virsh dominfo q2 | grep UUID + UUID 33884b16-ff6e-4947-bd0d-ec8dedba0395 + + In the bad case, this will have many such entries + In the good case no further ones would have been added + + $ grep dev.*tun libvirt-33884b16-ff6e-4947-bd0d-ec8dedba0395.files + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + "/dev/net/tun" rwk, + + + [ Where problems could occur ] + + * The change is isolated to dynamic apparmor handling, so we talk about + rules missed to be added in the worst case. Therefore we'd want to look + out for new apparmor denials or generally apparmor related issues to be + reported that were not present before. + + [ Other Info ] + + * n/a + + + ---- + I'm using libvirt 10.0.0 libvirt from noble ``` root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# libvirtd --version libvirtd (libvirt) 10.0.0 root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# dpkg -l |grep libvirt ii libvirt-clients 10.0.0-2ubuntu8.8 amd64 Programs for the libvirt library ii libvirt-daemon 10.0.0-2ubuntu8.8 amd64 Virtualization daemon ii libvirt-daemon-config-network 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (default network) ii libvirt-daemon-config-nwfilter 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (default network filters) ii libvirt-daemon-driver-qemu 10.0.0-2ubuntu8.8 amd64 Virtualization daemon QEMU connection driver ii libvirt-daemon-system 10.0.0-2ubuntu8.8 amd64 Libvirt daemon configuration files ii libvirt-daemon-system-systemd 10.0.0-2ubuntu8.8 all Libvirt daemon configuration files (systemd) ii libvirt0:amd64 10.0.0-2ubuntu8.8 amd64 library for interfacing with different virtualization systems ``` Libvirt configuration ``` - root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/qemu.conf + root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/qemu.conf default_tls_x509_cert_dir = "/etc/pki/qemu" default_tls_x509_verify = 1 group = "kvm" security_driver = "apparmor" stdio_handler = "logd" user = "nova" vnc_listen = "0.0.0.0" vnc_tls = 1 - vnc_tls_x509_verify = 1root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# - root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirtd.conf + vnc_tls_x509_verify = 1root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# + root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirtd.conf auth_tcp = "none" keepalive_count = 9 keepalive_interval = 10 listen_addr = "10.10.0.191" listen_tcp = 0 listen_tls = 1 log_level = 3 log_outputs = "1:file:/var/log/libvirt/libvirtd.log" - root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirt.conf + root@vs-ps-czma3v4h7hzz-1-4gc232su7ouh-server-px5drx7avo4b:/# cat /etc/libvirt/libvirt.conf # # This can be used to setup URI aliases for frequently # used connection URIs. Aliases may contain only the # characters a-Z, 0-9, _, -. # # Following the '=' may be any valid libvirt connection # URI, including arbitrary parameters #uri_aliases = [ # "hail=qemu+ssh://[email protected]/system", # "sleet=qemu+ssh://[email protected]/system", #] # # These can be used in cases when no URI is supplied by the application # (@uri_default also prevents probing of the hypervisor driver). # #uri_default = "qemu:///system" ``` Each time when NIC is added to VM, a new /dev/net/tun appears in /etc/apparmor.d/libvirt/libvirt-1157526e-4520-4fbf-8bd4-b606d37ad6b1.files - When interface is detach the /dev/net/tun is not removed. + When interface is detach the /dev/net/tun is not removed. There are two problems related to this 1. Even when all interface removed from domain, it has allowed rules for tun device (which it should not) 2. Overflow is possible when many attach/detach actions are executed file size may grow up to 10Mb limit and apparmor will refuse any other changes.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2120278 Title: Apparmor /dev/net/tun overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2120278/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
