kernel-packages team mailing list archive

Thread
Date
[Bug 1327687] Missing required logs.

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Brad Figg <brad.figg@xxxxxxxxxxxxx>
Date: Sun, 08 Jun 2014 02:30:08 -0000
Reply-to: Bug 1327687 <1327687@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:

apport-collect 1327687

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.

** Changed in: linux (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1327687

Title:
  AppArmor Regression #1236455 by #1298611

Status in “apparmor” package in Ubuntu:
  New
Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  Affected on kernel 3.13.0-21.43 and later on Trusty.

  It may be because 3.13.0-21.43 revert #1236455 fix.

  linux (3.13.0-21.43) trusty; urgency=low

    [ John Johansen ]

    * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
    * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
    * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
      policy"
    * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
    * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
      connection"
    * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
    * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
      - LP: #1298611

  linux (3.13.0-2.17) trusty; urgency=low

    [ John Johansen ]

    * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
    * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
      - LP: #1208988
    * SAUCE: apparmor: allocate path lookup buffers during init
      - LP: #1208988
    * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
      - LP: #1236455

  I've observed a failing of AppArmor policy update with libvirt, qemu
  and vagrant.

  vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
  virt-aa-helper should add it but fails.

  /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

  /var/log/libivrt/libvirtd.log:
  Jun  8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118

  running

  sudo aa-complain /usr/lib/libvirt/virt-aa-helper

  solves a problem. After running above command, I get following:

  /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
    "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
    # don't audit writes to readonly files
    deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

  virt-aa-helper generates policy rule and reloaded properly.

  The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
    @{HOME}/** r,
    /**.img r,
  not working and fails update libvirt policy.

  This behavior is same as #1236455.
  --- 
  ApportVersion: 2.14.1-0ubuntu3
  Architecture: amd64
  CurrentDesktop: X-Cinnamon
  DistroRelease: Ubuntu 14.04
  InstallationDate: Installed on 2010-08-15 (1392 days ago)
  InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
  NonfreeKernelModules: nvidia
  Package: linux
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=ja_JP.utf8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Syslog:
   
  Tags: qiana third-party-packages
  Uname: Linux 3.13.0-24-generic x86_64
  UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
  UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1327687/+subscriptions