Thanks once again Simon for the SRU Template - I was adding the "impact" section as I started to work on verifying the SRU for this together with a bunch of other changes.
** Description changed: When a qemu-kvm guest is using a zvol or a DRBD volume or a NVME partition, Apparmor denial messages are logged due to virt-aa-helper trying to access the volume/device. Those should be silenced as it's already done for Logical Volumes. + [Impact] + + * libvirt driving guests on more recent backing devices floods logs and + dmesg due to non critical apparmor denials. + + * those can distract from real issues and therefore (as with similar + cases in the past) should be silenced by explicit denials. + [Test Case] 1) Create a KVM guest 2) Edit the guest's XML profile to reference a zvol|DRBD volume|NVME partition - <disk type='block' device='disk'> - <driver name='qemu' type='raw' cache='none'/> - <source dev='/dev/zvol/data/foo'/> - <target dev='vda' bus='virtio'/> - </disk> + <disk type='block' device='disk'> + <driver name='qemu' type='raw' cache='none'/> + <source dev='/dev/zvol/data/foo'/> + <target dev='vda' bus='virtio'/> + </disk> 3) Start the guest 4) Check dmesg for any Apparmor denials, there should be none with the patch *Without* the patch, one would see those (or similar) denials: audit: type=1400 audit(1479809919.223:4083): apparmor="DENIED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/zd0" pid=16715 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 - [Regression Potential] Adding a couple of explicit denials to the virt-aa-helper profile shouldn't cause no harm because Apparmor already denies those, this is just about silencing this. - [Original description] Libvirt qemu-kvm guests backed by zvols (ZFS volumes) generate useless noise due to virt-aa-helper trying to read the backing device in the host (/dev/zdX). Other host's devs are already denied in virt-aa-helper's profile: # for hostdev /sys/devices/ r, /sys/devices/** r, /sys/bus/usb/devices/ r, /sys/bus/usb/devices/** r, deny /dev/sd* r, deny /dev/dm-* r, deny /dev/mapper/ r, deny /dev/mapper/* r, Adding "deny /dev/zd[0-9]* r," would silence Apparmor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1641618 Title: Apparmor denials caused by virt-aa-helper trying to read zvol devices (/dev/zdX) should be silenced To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1641618/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
