Hi intrigeri,
On Fri, Jun 03, 2016 at 02:51:12PM +0200, intrigeri wrote:
[..snip..]
> > As to my understanding complain mode shouldn't have any ill effects
> > therefore I'm filing this as important.
>
> I can't tell for sure until I've seen the corresponding logs, but
> I *guess* that what's happening is: setting the usr.sbin.libvirtd
> profile to "complain" affects that profile, and only that one; the
> per-guest profiles libvirt generates are not affected. libvirtd is
> still allowed to do that:
If that would be true wouldn't undefining then redifining the domain
(therefore switching to a different UUID resolve the problem)? I have
tried this before and it doesn't. This is the full script I'm using:
https://github.com/agx/libvirt-debian/blob/debian/experimental/debian/tests/smoke-qemu-session
Note also that the problem is with starting virtlogd (which is spawned
from libvirtd, not the VM). The issues manifests as virtlogd parsing
incorrect stuff from the environment[1].
> # allow changing to our UUID-based named profiles
> change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
>
> ... if security_driver is configured to use AppArmor in
> /etc/libvirt/qemu.conf.
>
> And aa-disable does a very different thing: it full unloads the
> profile from the kernel, and then somehow libvirtd must be denied the
> change_profile operation, so the buggy auto-generated per-guest
> profile is not switched to.
>
> If my guess is right, then there's no bug in AppArmor itself (except
> perhaps change_profile should pass through the complain flag to the
> profile it switches to?).
>
> To confirm this, we need:
>
> * the kernel / auditd logs from AppArmor, when the profile is in
> complain or enforce mode
$ sudo dmesg -c > /dev/null
# Enforce
$ sudo aa-enforce /usr/sbin/libvirtd
Setting /usr/sbin/libvirtd to enforce mode.
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
1
$ sudo dmesg -c | grep audit
[20363.629630] audit: type=1400 audit(1464959515.310:256): apparmor="STATUS"
operation="profile_replace" name="/usr/sbin/libvirtd" pid=6608
comm="apparmor_parser"
# Complain
$ sudo aa-complain /usr/sbin/libvirtd
Setting /usr/sbin/libvirtd to complain mode.
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
1
$ sudo dmesg -c | grep audit
[20514.122048] audit: type=1400 audit(1464959665.801:257): apparmor="STATUS"
operation="profile_replace" name="/usr/sbin/libvirtd" pid=6695
comm="apparmor_parser"
# Diabled
$ sudo aa-disable /usr/sbin/libvirtd
$ debian/tests/smoke-qemu-session >& /dev/null
$ echo $?
0
$ sudo dmesg -c | grep audit
[20632.145135] audit: type=1400 audit(1464959783.825:258): apparmor="STATUS"
operation="profile_remove" name="/usr/sbin/libvirtd" pid=6771
comm="apparmor_parser"
> * the generated profile (/etc/apparmor.d/libvirt/libvirt-${uuid}*)
As far as can tell there are no new files generaed with the uuid of the
sqs domain.
Any more logs I can provide? Sorry if I'm looking at the wrong place.
Cheers,
-- Guido
[1] since /proc/<pid>/environ looks correct I have no idea how this
relates to aa yet but it's 100% reproducible
