apparmor, kernel 4.14 and libvirtd

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

apparmor, kernel 4.14 and libvirtd

Michael Ströder
HI!

It seems the kernel upgrade needs another modification to apparmor
profile(s) for libvirtd:

type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0
auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny
vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7
cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x2ddir\x2ddeb\x2dp1.scope/"
class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Ciao, Michael.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Christian Boltz-5
Hello,

Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
> It seems the kernel upgrade needs another modification to apparmor
> profile(s) for libvirtd:
>
> type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0
> auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny
> vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7
> cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x
> 2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd"
> hostname=? addr=? terminal=? res=success'

A log line with   apparmor="DENIED"   would be more useful - do you have
one? ;-)

Also, please file a bugreport - I'm not sure if Jim reads this ML.


Regards,

Christian Boltz
--
Should you ever feel lonely or  be overwhelmed with spare time:
you know where to find us.
[Dominique Leuenberger in opensuse-project]
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Jim Fehlig
On 11/23/2017 06:32 AM, Christian Boltz wrote:

> Hello,
>
> Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
>> It seems the kernel upgrade needs another modification to apparmor
>> profile(s) for libvirtd:
>>
>> type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0
>> auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny
>> vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7
>> cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x
>> 2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd"
>> hostname=? addr=? terminal=? res=success'
>
> A log line with   apparmor="DENIED"   would be more useful - do you have
> one? ;-)
>
> Also, please file a bugreport - I'm not sure if Jim reads this ML.

Yes, I do, when I'm not on holidays :-).

WRT bugs, there's

https://bugzilla.opensuse.org/show_bug.cgi?id=1069562
https://bugzilla.opensuse.org/show_bug.cgi?id=1069903

If you are still seeing the problem with the fix for these bugs, please provide
more info from /var/log/audit/audit.log as Christian requested.

Regards,
Jim

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Jim Fehlig
On 11/27/2017 08:01 AM, Jim Fehlig wrote:

> On 11/23/2017 06:32 AM, Christian Boltz wrote:
>> Hello,
>>
>> Am Mittwoch, 22. November 2017, 13:30:40 CET schrieb Michael Ströder:
>>> It seems the kernel upgrade needs another modification to apparmor
>>> profile(s) for libvirtd:
>>>
>>> type=VIRT_RESOURCE msg=audit(1511353655.324:343): pid=1528 uid=0
>>> auid=4294967295 ses=4294967295 msg='virt=kvm resrc=cgroup reason=deny
>>> vm="ae-dir-deb-p1" uuid=35bee50f-d977-48d4-88d1-9af4bfd1b6c7
>>> cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d2\x2dae\x
>>> 2ddir\x2ddeb\x2dp1.scope/" class=all exe="/usr/sbin/libvirtd"
>>> hostname=? addr=? terminal=? res=success'
>>
>> A log line with   apparmor="DENIED"   would be more useful - do you have
>> one? ;-)
>>
>> Also, please file a bugreport - I'm not sure if Jim reads this ML.
>
> Yes, I do, when I'm not on holidays :-).
>
> WRT bugs, there's
>
> https://bugzilla.opensuse.org/show_bug.cgi?id=1069562
> https://bugzilla.opensuse.org/show_bug.cgi?id=1069903
>
> If you are still seeing the problem with the fix for these bugs, please provide
> more info from /var/log/audit/audit.log as Christian requested.

I finally got around to updating my TW machine. Rather than trying kernel
4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5 from

http://download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/

The only problem I noticed was the following when shutting down a confined VM

type=AVC msg=audit(1512002299.742:131): apparmor="DENIED" operation="open"
profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" name="/proc/1475/cmdline"
pid=2958 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=469 ouid=0

Adding the following rule to the libvirt-qemu abstraction squelches the denial

@{PROC}/@{pid}/cmdline r,

Christian, do you think that rule is satisfactory? If so, I'll submit it
upstream. Thanks!

Regards,
Jim
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Christian Boltz-5
Hello,

Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
> I finally got around to updating my TW machine. Rather than trying
> kernel 4.14.1, I immediately installed kernel 4.14.2-3.1.gb5596a5

Good choice ;-) - 4.14.0 and .1 have a "nice" bug.

> The only problem I noticed was the following when shutting down a
> confined VM
>
> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
> operation="open"
> profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
>
> Adding the following rule to the libvirt-qemu abstraction squelches
> the denial
>
> @{PROC}/@{pid}/cmdline r,
>
> Christian, do you think that rule is satisfactory? If so, I'll submit
> it upstream. Thanks!

Yes, this rule looks correct, so please submit it upstream ;-)


Regards,

Christian Boltz
--
* tigerfoot [sarcastic mode] Didn't we remove *kit from 12.2 ? [/end
           mode]
<simon123> tigerfoot: we will never get rid of *Kit, they will always
           invent another one :(
[from #opensuse-project]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Michael Ströder
Christian Boltz wrote:

> Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
>> The only problem I noticed was the following when shutting down a
>> confined VM
>>
>> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
>> operation="open"
>> profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
>> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
>> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
>>
>> Adding the following rule to the libvirt-qemu abstraction squelches
>> the denial
>>
>> @{PROC}/@{pid}/cmdline r,
>>
>> Christian, do you think that rule is satisfactory? If so, I'll submit
>> it upstream. Thanks!
>
> Yes, this rule looks correct, so please submit it upstream ;-)
After updating to kernel to 4.14.2 I've tried to add the line

@{PROC}/@{pid}/cmdline r,

to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this
for virsh destroy <domain-name>:

type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED"
operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd"
requested_mask="send" denied_mask="send" signal=term peer="unconfined"

Ciao, Michael.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Michael Ströder
Michael Ströder wrote:

> Christian Boltz wrote:
>> Am Donnerstag, 30. November 2017, 01:40:30 CET schrieb Jim Fehlig:
>>> The only problem I noticed was the following when shutting down a
>>> confined VM
>>>
>>> type=AVC msg=audit(1512002299.742:131): apparmor="DENIED"
>>> operation="open"
>>> profile="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
>>> name="/proc/1475/cmdline" pid=2958 comm="qemu-system-x86"
>>> requested_mask="r" denied_mask="r" fsuid=469 ouid=0
>>>
>>> Adding the following rule to the libvirt-qemu abstraction squelches
>>> the denial
>>>
>>> @{PROC}/@{pid}/cmdline r,
>>>
>>> Christian, do you think that rule is satisfactory? If so, I'll submit
>>> it upstream. Thanks!
>>
>> Yes, this rule looks correct, so please submit it upstream ;-)
>
> After updating to kernel to 4.14.2 I've tried to add the line
>
> @{PROC}/@{pid}/cmdline r,
>
> to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get this
> for virsh destroy <domain-name>:
>
> type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED"
> operation="signal" profile="/usr/sbin/libvirtd" pid=6059 comm="libvirtd"
> requested_mask="send" denied_mask="send" signal=term peer="unconfined"
And virsh start <domain-name> fails with:

type=AVC msg=audit(1512131645.930:1919): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13
profile="/usr/sbin/libvirtd" name="/" pid=7179 comm="libvirtd"
flags="rw, rslave"

Ciao, Michael.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Christian Boltz-5
Hello,

Am Freitag, 1. Dezember 2017, 13:35:00 CET schrieb Michael Ströder:
> Michael Ströder wrote:

> > to file /etc/apparmor.d/abstractions/libvirt-qemu but still I get
> > this for virsh destroy <domain-name>:
> >
> > type=AVC msg=audit(1512131425.439:1714): apparmor="DENIED"
> > operation="signal" profile="/usr/sbin/libvirtd" pid=6059
> > comm="libvirtd" requested_mask="send" denied_mask="send"
> > signal=term peer="unconfined"
> And virsh start <domain-name> fails with:
>
> type=AVC msg=audit(1512131645.930:1919): apparmor="DENIED"
> operation="mount" info="failed mntpnt match" error=-13
> profile="/usr/sbin/libvirtd" name="/" pid=7179 comm="libvirtd"
> flags="rw, rslave"

Can you please check if you have *.rpmnew files in /etc/apparmor.d/ ?
Both events you listed should be covered by the latest
/etc/apparmor.d/usr.sbin.libvirtd profile already.


Regards,

Christian Boltz
--
> ich wollte wohl eigentlich sagen / demonstrieren, dass
> Updateritis heilbar sein kann...
Das mag sein, aber der Entwöhnungsprozess kann dauern...
[> David Haller und Michael Höhne in suse-linux]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: apparmor, kernel 4.14 and libvirtd

Michael Ströder
Christian Boltz wrote:
> Can you please check if you have *.rpmnew files in /etc/apparmor.d/ ?
> Both events you listed should be covered by the latest
> /etc/apparmor.d/usr.sbin.libvirtd profile already.

Ummpf! You're right. I should have checked this before.

Thanks again, Christian.

Ciao, Michael.


smime.p7s (5K) Download Attachment