kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #65173
[Bug 1327687] Re: AppArmor Regression #1236455 by #1298611
** Project changed: linux => linux (Ubuntu)
** Description changed:
Affected on kernel 3.13.0-21.43 and later on Trusty.
- Because 3.13.0-21.43 revert #1236455 fix.
+ It may be because 3.13.0-21.43 revert #1236455 fix.
linux (3.13.0-21.43) trusty; urgency=low
- [ John Johansen ]
+ [ John Johansen ]
- * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
- * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
- * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
- policy"
- * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
- * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
- connection"
- * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
- * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
- - LP: #1298611
+ * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
+ * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
+ * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
+ policy"
+ * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
+ * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
+ connection"
+ * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
+ * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
+ - LP: #1298611
linux (3.13.0-2.17) trusty; urgency=low
- [ John Johansen ]
+ [ John Johansen ]
- * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
- * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
- - LP: #1208988
- * SAUCE: apparmor: allocate path lookup buffers during init
- - LP: #1208988
- * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
- - LP: #1236455
+ * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
+ * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
+ - LP: #1208988
+ * SAUCE: apparmor: allocate path lookup buffers during init
+ - LP: #1208988
+ * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
+ - LP: #1236455
-
- I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant.
+ I've observed a failing of AppArmor policy update with libvirt, qemu and
+ vagrant.
vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
virt-aa-helper should add it but fails.
/etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
- "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
- "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
- "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
- "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
- "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
- "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
- "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
- "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
- "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
+ "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
+ "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
+ "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
+ "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
+ "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
+ "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
+ "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
+ "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
+ "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
/var/log/libivrt/libvirtd.log:
Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
-
- running
+ running
sudo aa-complain /usr/lib/libvirt/virt-aa-helper
solves a problem. After running above command, I get following:
/etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
- "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
- "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
- "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
- "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
- "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
- "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
- "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
- "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
- # don't audit writes to readonly files
- deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
- "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
- "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
+ "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
+ "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
+ "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
+ "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
+ "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
+ "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
+ "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
+ "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
+ # don't audit writes to readonly files
+ deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
+ "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
+ "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
virt-aa-helper generates policy rule and reloaded properly.
The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
- @{HOME}/** r,
- /**.img r,
+ @{HOME}/** r,
+ /**.img r,
not working and fails update libvirt policy.
This behavior is same as #1236455.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1327687
Title:
AppArmor Regression #1236455 by #1298611
Status in “apparmor” package in Ubuntu:
New
Status in “linux” package in Ubuntu:
New
Bug description:
Affected on kernel 3.13.0-21.43 and later on Trusty.
It may be because 3.13.0-21.43 revert #1236455 fix.
linux (3.13.0-21.43) trusty; urgency=low
[ John Johansen ]
* Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
* Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
* Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
policy"
* Revert "SAUCE: apparmor: allocate path lookup buffers during init"
* Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
connection"
* Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
* SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
- LP: #1298611
linux (3.13.0-2.17) trusty; urgency=low
[ John Johansen ]
* SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
* SAUCE: apparmor: fix unix domain sockets to be mediated on connection
- LP: #1208988
* SAUCE: apparmor: allocate path lookup buffers during init
- LP: #1208988
* SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
- LP: #1236455
I've observed a failing of AppArmor policy update with libvirt, qemu
and vagrant.
vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
virt-aa-helper should add it but fails.
/etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
"/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
/var/log/libivrt/libvirtd.log:
Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
running
sudo aa-complain /usr/lib/libvirt/virt-aa-helper
solves a problem. After running above command, I get following:
/etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
"/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
"/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
# don't audit writes to readonly files
deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
"/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
virt-aa-helper generates policy rule and reloaded properly.
The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
@{HOME}/** r,
/**.img r,
not working and fails update libvirt policy.
This behavior is same as #1236455.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1327687/+subscriptions
