[Bug 1327687] Re: AppArmor Regression #1236455 by #1298611

Hiroshi Miura Sat, 07 Jun 2014 19:16:24 -0700

** Project changed: linux => linux (Ubuntu)

** Description changed:


  Affected on kernel 3.13.0-21.43 and later on Trusty.
  
- Because 3.13.0-21.43 revert #1236455 fix.
+ It may be because 3.13.0-21.43 revert #1236455 fix.
  
  linux (3.13.0-21.43) trusty; urgency=low
  
-   [ John Johansen ]
+   [ John Johansen ]
  
-   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
-   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
-   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
-     policy"
-   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
-   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
-     connection"
-   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
-   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
-     - LP: #1298611
+   * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
+   * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
+   * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
+     policy"
+   * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
+   * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
+     connection"
+   * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
+   * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
+     - LP: #1298611
  
  linux (3.13.0-2.17) trusty; urgency=low
  
-   [ John Johansen ]
+   [ John Johansen ]
  
-   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
-   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
-     - LP: #1208988
-   * SAUCE: apparmor: allocate path lookup buffers during init
-     - LP: #1208988
-   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
-     - LP: #1236455
+   * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
+   * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
+     - LP: #1208988
+   * SAUCE: apparmor: allocate path lookup buffers during init
+     - LP: #1208988
+   * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
+     - LP: #1236455
  
- 
- I've observed a failing of AppArmor policy update with libvirt, qemu and 
vagrant.
+ I've observed a failing of AppArmor policy update with libvirt, qemu and
+ vagrant.
  
  vagrant ask libvirt to create vmimage backing with other qcow2 image that 
located in another directory.
  virt-aa-helper should add it but fails.
  
  /etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
-   
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log"
 w,
-   
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor"
 rw,
-   
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid"
 rwk,
-   
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid"
 rwk,
-   
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426"
 rw,
-   
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426"
 rw,
-   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
-   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
-   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
+   
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log"
 w,
+   
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor"
 rw,
+   
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid"
 rwk,
+   
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid"
 rwk,
+   
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426"
 rw,
+   
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426"
 rw,
+   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
+   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
+   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
  
  /var/log/libivrt/libvirtd.log:
  Jun  8 09:26:13 tuna kernel: [33901.090187] type=1400 
audit(1402187173.746:81): apparmor="DENIED" operation="open" 
profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" 
name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090212] type=1400 
audit(1402187173.746:82): apparmor="DENIED" operation="open" 
profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" 
name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  Jun  8 09:26:13 tuna kernel: [33901.090251] type=1400 
audit(1402187173.746:83): apparmor="DENIED" operation="open" 
profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" 
name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 
comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
  
- 
- running 
+ running
  
  sudo aa-complain /usr/lib/libvirt/virt-aa-helper
  
  solves a problem. After running above command, I get following:
  
  /etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
  # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
-   
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log"
 w,
-   
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor"
 rw,
-   
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid"
 rwk,
-   
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid"
 rwk,
-   
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451"
 rw,
-   
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451"
 rw,
-   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
-   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
-   # don't audit writes to readonly files
-   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
-   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
-   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
+   
"/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log"
 w,
+   
"/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor"
 rw,
+   
"/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid"
 rwk,
+   
"/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid"
 rwk,
+   
"/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451"
 rw,
+   
"/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451"
 rw,
+   "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
+   "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
+   # don't audit writes to readonly files
+   deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
+   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
+   "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,
  
  virt-aa-helper generates policy rule and reloaded properly.
  
  The observation tell us a policy in 
/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
-   @{HOME}/** r,
-   /**.img r,
+   @{HOME}/** r,
+   /**.img r,
  not working and fails update libvirt policy.
  
  This behavior is same as #1236455.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1327687

Title:
  AppArmor Regression #1236455 by #1298611

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1327687/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1327687] Re: AppArmor Regression #1236455 by #1298611

Reply via email to