← Back to team overview

kernel-packages team mailing list archive

[Bug 1327687] Re: AppArmor Regression #1236455 by #1298611

 

apport information

** Tags added: apport-collected qiana third-party-packages

** Description changed:

  Affected on kernel 3.13.0-21.43 and later on Trusty.
  
  It may be because 3.13.0-21.43 revert #1236455 fix.
  
  linux (3.13.0-21.43) trusty; urgency=low
  
    [ John Johansen ]
  
    * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
    * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
    * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
      policy"
    * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
    * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
      connection"
    * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
    * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
      - LP: #1298611
  
  linux (3.13.0-2.17) trusty; urgency=low
  
    [ John Johansen ]
  
    * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
    * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
      - LP: #1208988
    * SAUCE: apparmor: allocate path lookup buffers during init
      - LP: #1208988
    * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
      - LP: #1236455
  
  I've observed a failing of AppArmor policy update with libvirt, qemu and
  vagrant.
  
  vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
  virt-aa-helper should add it but fails.
  
  /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
  
  /var/log/libivrt/libvirtd.log:
  Jun  8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  
  running
  
  sudo aa-complain /usr/lib/libvirt/virt-aa-helper
  
  solves a problem. After running above command, I get following:
  
  /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
    "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
    # don't audit writes to readonly files
    deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
  
  virt-aa-helper generates policy rule and reloaded properly.
  
  The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
    @{HOME}/** r,
    /**.img r,
  not working and fails update libvirt policy.
  
  This behavior is same as #1236455.
+ --- 
+ ApportVersion: 2.14.1-0ubuntu3
+ Architecture: amd64
+ CurrentDesktop: X-Cinnamon
+ DistroRelease: Ubuntu 14.04
+ InstallationDate: Installed on 2010-08-15 (1392 days ago)
+ InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
+ NonfreeKernelModules: nvidia
+ Package: linux
+ PackageArchitecture: amd64
+ ProcEnviron:
+  TERM=xterm
+  PATH=(custom, no user)
+  XDG_RUNTIME_DIR=<set>
+  LANG=ja_JP.utf8
+  SHELL=/bin/bash
+ ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
+ ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
+ Syslog:
+  
+ Tags: qiana third-party-packages
+ Uname: Linux 3.13.0-24-generic x86_64
+ UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
+ UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
+ _MarkForUpload: True

** Attachment added: "ApparmorPackages.txt"
   https://bugs.launchpad.net/bugs/1327687/+attachment/4127452/+files/ApparmorPackages.txt

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1327687

Title:
  AppArmor Regression #1236455 by #1298611

Status in “apparmor” package in Ubuntu:
  New
Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  Affected on kernel 3.13.0-21.43 and later on Trusty.

  It may be because 3.13.0-21.43 revert #1236455 fix.

  linux (3.13.0-21.43) trusty; urgency=low

    [ John Johansen ]

    * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
    * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
    * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
      policy"
    * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
    * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
      connection"
    * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
    * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
      - LP: #1298611

  linux (3.13.0-2.17) trusty; urgency=low

    [ John Johansen ]

    * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
    * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
      - LP: #1208988
    * SAUCE: apparmor: allocate path lookup buffers during init
      - LP: #1208988
    * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
      - LP: #1236455

  I've observed a failing of AppArmor policy update with libvirt, qemu
  and vagrant.

  vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
  virt-aa-helper should add it but fails.

  /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

  /var/log/libivrt/libvirtd.log:
  Jun  8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118

  running

  sudo aa-complain /usr/lib/libvirt/virt-aa-helper

  solves a problem. After running above command, I get following:

  /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
    "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
    "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
    "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
    "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
    "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
    "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
    # don't audit writes to readonly files
    deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
    "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

  virt-aa-helper generates policy rule and reloaded properly.

  The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
    @{HOME}/** r,
    /**.img r,
  not working and fails update libvirt policy.

  This behavior is same as #1236455.
  --- 
  ApportVersion: 2.14.1-0ubuntu3
  Architecture: amd64
  CurrentDesktop: X-Cinnamon
  DistroRelease: Ubuntu 14.04
  InstallationDate: Installed on 2010-08-15 (1392 days ago)
  InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
  NonfreeKernelModules: nvidia
  Package: linux
  PackageArchitecture: amd64
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=ja_JP.utf8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
  ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
  Syslog:
   
  Tags: qiana third-party-packages
  Uname: Linux 3.13.0-24-generic x86_64
  UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
  UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1327687/+subscriptions