group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1641618] Re: Apparmor denials caused by virt-aa-helper trying to read zvol devices (/dev/zdX) should be silenced

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: ChristianEhrhardt <1641618@xxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Jan 2017 14:06:30 -0000
Reply-to: Bug 1641618 <1641618@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you Simon,
since this is "only" about silencing a warning it wasn't worth an SRU in my personal opinion.
I can consider to wrap it up in another SRU thou and let the SRU Team decide.
The "impact" of warnigns might be too low, but OTOH the regression potential is as well and Xenial will be with us for quite a while still :-).

I keep this task unread and would try to bundle with another SRU eventually.
But sadly ATM I can't get to bisect the other case which is required to drive it forward (FYI bug 1620407).

** Also affects: libvirt (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: libvirt (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: libvirt (Ubuntu Xenial)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1641618

Title:
  Apparmor denials caused by virt-aa-helper trying to read zvol devices
  (/dev/zdX) should be silenced

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Xenial:
  Triaged

Bug description:
  When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME
  partition, Apparmor denial messages are logged due to virt-aa-helper
  trying to access the volume/device. Those should be silenced as it's
  already done for Logical Volumes.

  [Test Case]
  1) Create a KVM guest
  2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition
      <disk type='block' device='disk'>
        <driver name='qemu' type='raw' cache='none'/>
        <source dev='/dev/zvol/data/foo'/>
        <target dev='vda' bus='virtio'/>
      </disk>
  3) Start the guest
  4) Check dmesg for any Apparmor denials, there should be none with the patch

  *Without* the patch, one would see those (or similar) denials:

  audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED"
  operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
  name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r"
  denied_mask="r" fsuid=0 ouid=0

  
  [Regression Potential]
  Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this.

  
  [Original description]
  Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:

    # for hostdev
    /sys/devices/ r,
    /sys/devices/** r,
    /sys/bus/usb/devices/ r,
    /sys/bus/usb/devices/** r,
    deny /dev/sd* r,
    deny /dev/dm-* r,
    deny /dev/mapper/ r,
    deny /dev/mapper/* r,

  Adding "deny /dev/zd[0-9]* r," would silence Apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions