Bug#905339: Some open operations are DENIED by AppArmor

Fri, 03 Aug 2018 04:33:45 -0700 

Package: libvirt-daemon-system
Version: 3.0.0-4+deb9u3
Severity: normal
X-Debbugs-Cc: appar...@packages.debian.org

Dear maintainers, (CCed: apparmor-maintainers)

I had enabled AppArmor on my debian stretch machine.
I found some libvirt's open operations are DENIED by apparmor.
Please see below.

```
Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503726] audit: type=1400 audit(1532950522.067:41): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/node/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.503778] audit: type=1400 audit(1532950522.067:42): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/devices/system/cpu/" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:22 debian-tsr-nuc1 kernel: [   39.538158] audit: type=1400 audit(1532950522.103:43): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/sys/module/vhost/parameters/max_mem_regions" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393592] audit: type=1400 audit(1532950536.959:46): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/node/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.393648] audit: type=1400 audit(1532950536.959:47): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/devices/system/cpu/" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 30 20:35:36 debian-tsr-nuc1 kernel: [   54.404634] audit: type=1400 audit(1532950536.967:48): apparmor="DENIED" operation="open" profile="libvirt-974b3462-9525-49d8-82db-2a3eb9bb972f" name="/sys/module/vhost/parameters/max_mem_regions" pid=1376 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 Jul 31 12:51:24 debian-tsr-nuc1 kernel: [58602.024293] audit: type=1400 audit(1533009084.686:49): apparmor="DENIED" operation="open" profile="libvirt-2453a1d1-16fd-446a-b7df-3b1b0ac4a506" name="/proc/548/cmdline" pid=1307 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 
```

These policy conflicts were fixed in upstream.

I attached a patch which backported from these commit.
https://libvirt.org/git/?p=libvirt.git;a=commit;h=e7f5d627f93c1c71260d2a795a1227b16b0d3186
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0af5ced4b81b68be7016d1f8755db3d0c3249278

Would you apply this patch for stretch?

Regards,

Allow apparmor access host resource and process cmdline
These polociy conflicts were fixed in upstream.
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -21,6 +21,10 @@
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
   # Per man(5) proc, the kernel enforces that a thread may
   # only modify its comm value or those in its thread group.
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@@ -152,3 +156,9 @@
   /etc/udev/udev.conf r,
   /sys/bus/ r,
   /sys/class/ r,
+
+  # for gathering information about available host resources
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/node/ r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  /sys/module/vhost/parameters/max_mem_regions r,

Reply via email to