Public bug reported:
Release: 14.04
Package: libvirt-bin
Version: 1.2.2-0ubuntu13.1.1
For a normal block-based LVM disk definition
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/host-vg/guest.img'/>
<target dev='vda' bus='virtio'/>
</disk>
virt-aa-helper will generate "/dev/dm-X rw" rules in the
/etc/apparmor.d/libvirt/libvirt-*.files
"/dev/dm-10" rw,
However, using a storage pool:
<pool type='logical'>
<name>lvm</name>
<source>
<name>host-vg</name>
</source>
<target>
<path>/dev/host-vg</path>
</target>
</pool>
to create the volume:
<volume>
<name>guest.img</name>
<capacity>....</capacity>
</volume>
and attempting to use the equivalent:
<disk type='volume' device='disk'>
<driver name='qemu' type='raw'/>
<source pool='lvm' volume='guest.img'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
</disk>
Results in the following with `virsh start guest`
error: Failed to start domain guest
error: internal error: process exited while connecting to monitor:
qemu-system-x86_64: -drive
file=/dev/host-vg/guest.img,if=none,id=drive-virtio-disk0,format=raw: could not
open disk image /dev/host-vg/guest.img: Could not open
'/dev/host-vg/guest.img': Permission denied
And:
[164096.938448] type=1400 audit(1405596016.664:100): apparmor="DENIED"
operation="open" profile="libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb"
name="/dev/dm-10" pid=26835 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=109 ouid=109
[164096.938472] type=1400 audit(1405596016.664:101): apparmor="DENIED"
operation="open" profile="libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb"
name="/dev/dm-10" pid=26835 comm="qemu-system-x86" requested_mask="r"
denied_mask="r" fsuid=109 ouid=109
[164096.938515] type=1400 audit(1405596016.664:102): apparmor="DENIED"
operation="open" profile="libvirt-fdd84027-cb8e-42d5-bca1-a662871d97bb"
name="/dev/dm-10" pid=26835 comm="qemu-system-x86" requested_mask="rw"
denied_mask="rw" fsuid=109 ouid=109
The apparmor libvirt-*.files does not contain any /dev/dm-* rules.
I'm not familar enough with the virAppArmorSecurityDriver code to know if the
load_profile() call to virDomainDefFormat() will give the persistent or live
xml config, but when testing with virt-aa-helper manually, feeding it the
inactive config (i.e. `virsh dumpxml` while the domain is stopped) will cause
get_files() to call virDomainDiskDefForeachPath() with a virDomainDiskDefPtr of
type=VIR_DOMAIN_DISK_TYPE_VOLUME and src=NULL, so it never iters over the disk.
I suspect that virt-aa-helper should instead be fed the active config, i.e. one
where the <disk type='volume'> has been fed through
qemuTranslateDiskSourcePool() to resolve it into the actual <disk
type='block'><source dev='...' /></disk>?
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1343245
Title:
virt-aa-helper does not whitelist actual <source dev='...'> paths for
domain <disk type='volume'>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1343245/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
