** Description changed:

+ [Impact]
+ 
+  * Backport the apparmor rules that I upstreamed (have ack of JDstrand)
+    to avoid nvdimm nitialization of libpmem (done always even if not used) 
+    to not spill Denials into the log all the time.
+ 
+ [Test Case]
+ 
+  * Start qemu and check apparmor denials (pre tested on PPAs)
+    
+ 
+ [Regression Potential]
+ 
+  * This is not adding new denials, only adding allows. Thereby the 
+    regression risk is minimal.
+    If anything then allowing to read "/" itself would be disallowed in some 
+    environments, but according to jdstrand it is safe in any LSB compliant 
+    sytems and as always users that want extra isolation can add denial 
+    rules to local apparmor overrides.
+ 
+ [Other Info]
+  
+  * This isn't technically an SRU, but I have learned that filling these 
+    templates helps the release Team to accept changes while in 20.04 Freeze 
+    time.
+ 
+ ---
+ 
  On guest start I see:
  
  apparmor="DENIED" operation="open" 
profile="libvirt-785b6ea8-24b9-4d9f-9e6e-6a08ac8a95ff" name="/"·
  apparmor="DENIED" operation="open" 
profile="libvirt-785b6ea8-24b9-4d9f-9e6e-6a08ac8a95ff" 
name="/sys/bus/nd/devices/"
  
  The latter could be allowed if we understand why it happens?
  The former looks like a programming error and I'd want to know where it comes 
from exactly.
  
  CMDline was
  usr/bin/qemu-system-x86_64 \
  -name guest=f-test1,debug-threads=on \
  -S \
  -object 
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-10-f-test1/master-key.aes
 \
  -machine pc-q35-focal,accel=kvm,usb=off,dump-guest-core=off \
  -cpu qemu64 \
  -m 4096 \
  -overcommit mem-lock=off \
  -smp 8,sockets=8,cores=1,threads=1 \
  -uuid 2afb2039-c0a8-4408-9fa2-17e7f7488fc0 \
  -no-user-config \
  -nodefaults \
  -chardev socket,id=charmonitor,fd=31,server,nowait \
  -mon chardev=charmonitor,id=monitor,mode=control \
  -rtc base=utc \
  -no-shutdown \
  -boot strict=on \
  -device 
pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2
 \
  -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
  -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
  -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
  -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 \
  -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 \
  -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 \
  -device qemu-xhci,id=usb,bus=pci.2,addr=0x0 \
  -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 \
  -blockdev 
'{"driver":"file","filename":"/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MjAuMDQ6YW1kNjQgMjAyMDAzMzA=","node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
 \
  -blockdev 
'{"node-name":"libvirt-3-format","read-only":true,"driver":"qcow2","file":"libvirt-3-storage","backing":null}'
 \
  -blockdev 
'{"driver":"file","filename":"/var/lib/uvtool/libvirt/images/f-test1.qcow","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
 \
  -blockdev 
'{"node-name":"libvirt-2-format","read-only":false,"driver":"qcow2","file":"libvirt-2-storage","backing":"libvirt-3-format"}'
 \
  -device 
virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=libvirt-2-format,id=virtio-disk0,bootindex=1
 \
  -blockdev 
'{"driver":"file","filename":"/var/lib/uvtool/libvirt/images/f-test1-ds.qcow","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
 \
  -blockdev 
'{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null}'
 \
  -device 
virtio-blk-pci,scsi=off,bus=pci.5,addr=0x0,drive=libvirt-1-format,id=virtio-disk1
 \
  -netdev tap,fd=33,id=hostnet0,vhost=on,vhostfd=34 \
  -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:72:98:2c,bus=pci.1,addr=0x0 
\
  -chardev pty,id=charserial0 \
  -device isa-serial,chardev=charserial0,id=serial0 \
  -chardev socket,id=charchannel0,fd=36,server,nowait \
  -device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0
 \
  -vnc 127.0.0.1:0 \
  -spice port=5901,addr=127.0.0.1,disable-ticketing,seamless-migration=on \
  -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pcie.0,addr=0x1
 \
  -device virtio-balloon-pci,id=balloon0,bus=pci.6,addr=0x0 \
  -sandbox 
on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
  -msg timestamp=on

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1871354

Title:
  apparmor denies related to nvdimms/nfit

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1871354/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to