kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #83486
[Bug 1378434] [NEW] 14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
Public bug reported:
I have an asterisk server running in a KVM and give it access to the storage array of the host via 9p.
/etc/apparmor.d/abstractions/libvirt-qemu was missing the permissions for capa fowner and capa fsetid which are necessary for full access to the shares and which I fixed myself. Now, additionally, it seems that the helper for the KVMs only sets r and w permissions for the 9p shares. For full access in this case, also the link permission is needed. Manually adding the l flag to /etc/apparmor.d/libvirt-qemu/<UUID>.files does NOT work. The permission structure seems to be hardcoded in the source of the helper. Typical log entry:
Oct 7 19:04:14 nostromo kernel: [498751.395000] type=1400
audit(1412697854.669:203): apparmor="DENIED" operation="link" profile
="libvirt-d2719da3-1869-9cee-b02f-8d86458bbea2"
name="/storage/asterisk/spool/voicemail/default/1102/Old/.lock" pid=7775
comm="pool" requested_mask="l" denied_mask="l" fsuid=0 ouid=0
target="/storage/asterisk/spool/voicemail/default/1102/Old/.lock-
0fc30204"
Possible solutions:
a) Add l permission to the source of the helper
b) Un-hardcode the permissions set by the helper and make them configurable through an /etc/default config or similar. This would be a preferable solution.
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq
crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
DistroRelease: Ubuntu 14.04
HibernationDevice: RESUME=UUID=28b31865-bf30-4c40-a9a6-32d44abec88b
InstallationDate: Installed on 2014-08-17 (50 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
MachineType: ASUSTeK COMPUTER INC. P9D-V Series
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
Package: linux (not installed)
PciMultimedia:
ProcFB: 0 astdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-36-generic root=UUID=c61299e4-1f7f-4807-aff6-0a3b4028b88c ro
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
RelatedPackageVersions:
linux-restricted-modules-3.13.0-36-generic N/A
linux-backports-modules-3.13.0-36-generic N/A
linux-firmware 1.127.7
RfKill: Error: [Errno 2] No such file or directory
Tags: trusty
Uname: Linux 3.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
_MarkForUpload: True
dmi.bios.date: 11/13/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0601
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: P9D-V Series
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 17
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0601:bd11/13/2013:svnASUSTeKCOMPUTERINC.:pnP9D-VSeries:pvrRev1.xx:rvnASUSTeKCOMPUTERINC.:rnP9D-VSeries:rvrRev1.xx:cvnToBeFilledByO.E.M.:ct17:cvrToBeFilledByO.E.M.:
dmi.product.name: P9D-V Series
dmi.product.version: Rev 1.xx
dmi.sys.vendor: ASUSTeK COMPUTER INC.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-collected trusty
** Tags added: apport-collected trusty
** Description changed:
I have an asterisk server running in a KVM and give it access to the storage array of the host via 9p.
/etc/apparmor.d/abstractions/libvirt-qemu was missing the permissions for capa fowner and capa fsetid which are necessary for full access to the shares and which I fixed myself. Now, additionally, it seems that the helper for the KVMs only sets r and w permissions for the 9p shares. For full access in this case, also the link permission is needed. Manually adding the l flag to /etc/apparmor.d/libvirt-qemu/<UUID>.files does NOT work. The permission structure seems to be hardcoded in the source of the helper. Typical log entry:
Oct 7 19:04:14 nostromo kernel: [498751.395000] type=1400
audit(1412697854.669:203): apparmor="DENIED" operation="link" profile
="libvirt-d2719da3-1869-9cee-b02f-8d86458bbea2"
name="/storage/asterisk/spool/voicemail/default/1102/Old/.lock" pid=7775
comm="pool" requested_mask="l" denied_mask="l" fsuid=0 ouid=0
target="/storage/asterisk/spool/voicemail/default/1102/Old/.lock-
0fc30204"
Possible solutions:
a) Add l permission to the source of the helper
b) Un-hardcode the permissions set by the helper and make them configurable through an /etc/default config or similar. This would be a preferable solution.
+ ---
+ AlsaDevices:
+ total 0
+ crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq
+ crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer
+ AplayDevices: Error: [Errno 2] No such file or directory
+ ApportVersion: 2.14.1-0ubuntu3.4
+ Architecture: amd64
+ ArecordDevices: Error: [Errno 2] No such file or directory
+ AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
+ CRDA: Error: [Errno 2] No such file or directory
+ DistroRelease: Ubuntu 14.04
+ HibernationDevice: RESUME=UUID=28b31865-bf30-4c40-a9a6-32d44abec88b
+ InstallationDate: Installed on 2014-08-17 (50 days ago)
+ InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
+ MachineType: ASUSTeK COMPUTER INC. P9D-V Series
+ NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
+ Package: linux (not installed)
+ PciMultimedia:
+
+ ProcFB: 0 astdrmfb
+ ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-36-generic root=UUID=c61299e4-1f7f-4807-aff6-0a3b4028b88c ro
+ ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
+ RelatedPackageVersions:
+ linux-restricted-modules-3.13.0-36-generic N/A
+ linux-backports-modules-3.13.0-36-generic N/A
+ linux-firmware 1.127.7
+ RfKill: Error: [Errno 2] No such file or directory
+ Tags: trusty
+ Uname: Linux 3.13.0-36-generic x86_64
+ UpgradeStatus: No upgrade log present (probably fresh install)
+ UserGroups:
+
+ _MarkForUpload: True
+ dmi.bios.date: 11/13/2013
+ dmi.bios.vendor: American Megatrends Inc.
+ dmi.bios.version: 0601
+ dmi.board.asset.tag: To be filled by O.E.M.
+ dmi.board.name: P9D-V Series
+ dmi.board.vendor: ASUSTeK COMPUTER INC.
+ dmi.board.version: Rev 1.xx
+ dmi.chassis.asset.tag: To Be Filled By O.E.M.
+ dmi.chassis.type: 17
+ dmi.chassis.vendor: To Be Filled By O.E.M.
+ dmi.chassis.version: To Be Filled By O.E.M.
+ dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0601:bd11/13/2013:svnASUSTeKCOMPUTERINC.:pnP9D-VSeries:pvrRev1.xx:rvnASUSTeKCOMPUTERINC.:rnP9D-VSeries:rvrRev1.xx:cvnToBeFilledByO.E.M.:ct17:cvrToBeFilledByO.E.M.:
+ dmi.product.name: P9D-V Series
+ dmi.product.version: Rev 1.xx
+ dmi.sys.vendor: ASUSTeK COMPUTER INC.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1378434
Title:
14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
Status in “linux” package in Ubuntu:
New
Bug description:
I have an asterisk server running in a KVM and give it access to the storage array of the host via 9p.
/etc/apparmor.d/abstractions/libvirt-qemu was missing the permissions for capa fowner and capa fsetid which are necessary for full access to the shares and which I fixed myself. Now, additionally, it seems that the helper for the KVMs only sets r and w permissions for the 9p shares. For full access in this case, also the link permission is needed. Manually adding the l flag to /etc/apparmor.d/libvirt-qemu/<UUID>.files does NOT work. The permission structure seems to be hardcoded in the source of the helper. Typical log entry:
Oct 7 19:04:14 nostromo kernel: [498751.395000] type=1400
audit(1412697854.669:203): apparmor="DENIED" operation="link" profile
="libvirt-d2719da3-1869-9cee-b02f-8d86458bbea2"
name="/storage/asterisk/spool/voicemail/default/1102/Old/.lock"
pid=7775 comm="pool" requested_mask="l" denied_mask="l" fsuid=0 ouid=0
target="/storage/asterisk/spool/voicemail/default/1102/Old/.lock-
0fc30204"
Possible solutions:
a) Add l permission to the source of the helper
b) Un-hardcode the permissions set by the helper and make them configurable through an /etc/default config or similar. This would be a preferable solution.
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Oct 2 00:29 seq
crw-rw---- 1 root audio 116, 33 Oct 2 00:29 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: Error: [Errno 2] No such file or directory
DistroRelease: Ubuntu 14.04
HibernationDevice: RESUME=UUID=28b31865-bf30-4c40-a9a6-32d44abec88b
InstallationDate: Installed on 2014-08-17 (50 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
MachineType: ASUSTeK COMPUTER INC. P9D-V Series
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
Package: linux (not installed)
PciMultimedia:
ProcFB: 0 astdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-36-generic root=UUID=c61299e4-1f7f-4807-aff6-0a3b4028b88c ro
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
RelatedPackageVersions:
linux-restricted-modules-3.13.0-36-generic N/A
linux-backports-modules-3.13.0-36-generic N/A
linux-firmware 1.127.7
RfKill: Error: [Errno 2] No such file or directory
Tags: trusty
Uname: Linux 3.13.0-36-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
_MarkForUpload: True
dmi.bios.date: 11/13/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 0601
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: P9D-V Series
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 17
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr0601:bd11/13/2013:svnASUSTeKCOMPUTERINC.:pnP9D-VSeries:pvrRev1.xx:rvnASUSTeKCOMPUTERINC.:rnP9D-VSeries:rvrRev1.xx:cvnToBeFilledByO.E.M.:ct17:cvrToBeFilledByO.E.M.:
dmi.product.name: P9D-V Series
dmi.product.version: Rev 1.xx
dmi.sys.vendor: ASUSTeK COMPUTER INC.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1378434/+subscriptions
Follow ups
-
[Bug 1378434] Re: 14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
From: sgofferj, 2014-10-07
-
[Bug 1378434] Re: 14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
From: Joseph Salisbury, 2014-10-07
-
[Bug 1378434] Status changed to Confirmed
From: Brad Figg, 2014-10-07
-
[Bug 1378434] WifiSyslog.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] UdevLog.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] UdevDb.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] ProcModules.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] ProcInterrupts.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] ProcEnviron.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] ProcCpuinfo.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] Lsusb.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] Lspci.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] IwConfig.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] CurrentDmesg.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] BootDmesg.txt
From: sgofferj, 2014-10-07
-
[Bug 1378434] [NEW] 14.04: libvirt-qemu/apparmor: missing permissions for 9p shares
From: sgofferj, 2014-10-07
References