group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1641618] Re: Apparmor denials caused by virt-aa-helper trying to read zvol devices (/dev/zdX) should be silenced

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1641618@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Feb 2017 18:40:56 -0000
Reply-to: Bug 1641618 <1641618@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.8

---------------
libvirt (1.3.1-1ubuntu10.8) xenial; urgency=medium

  * fix virsh nodecpumap output (LP: #1659769)
  * fix using type ethernet interfaces with user scripts (LP: #1620407)
  * add new block device types to virt-aa-helpers profile (LP: #1641618)

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Mon, 06 Feb
2017 14:30:46 +0100

** Changed in: libvirt (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1641618

Title:
  Apparmor denials caused by virt-aa-helper trying to read zvol devices
  (/dev/zdX) should be silenced

Status in libvirt package in Ubuntu:
  Fix Released
Status in libvirt source package in Xenial:
  Fix Released

Bug description:
  When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME
  partition, Apparmor denial messages are logged due to virt-aa-helper
  trying to access the volume/device. Those should be silenced as it's
  already done for Logical Volumes.

  [Impact]

   * libvirt driving guests on more recent backing devices floods logs and 
     dmesg due to non critical apparmor denials.

   * those can distract from real issues and therefore (as with similar 
     cases in the past) should be silenced by explicit denials.

  [Test Case]
  1) Create a KVM guest
  2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition
      <disk type='block' device='disk'>
        <driver name='qemu' type='raw' cache='none'/>
        <source dev='/dev/zvol/data/foo'/>
        <target dev='vda' bus='virtio'/>
      </disk>
  3) Start the guest
  4) Check dmesg for any Apparmor denials, there should be none with the patch

  *Without* the patch, one would see those (or similar) denials:

  audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED"
  operation="open" profile="/usr/lib/libvirt/virt-aa-helper"
  name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r"
  denied_mask="r" fsuid=0 ouid=0

  [Regression Potential]
  Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this.

  [Original description]
  Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile:

    # for hostdev
    /sys/devices/ r,
    /sys/devices/** r,
    /sys/bus/usb/devices/ r,
    /sys/bus/usb/devices/** r,
    deny /dev/sd* r,
    deny /dev/dm-* r,
    deny /dev/mapper/ r,
    deny /dev/mapper/* r,

  Adding "deny /dev/zd[0-9]* r," would silence Apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions