Apparmor denies /usr/libexec/virt-aa-helper access to ovmf files even when profiles allows it
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi,
This is a follow-up bug I'm pursuing with the gentoo community in case upstream can give some guidance. The original bug is:
https:/
In summary, apparmor denies access to the files under /usr/share/
# virsh start os-1
error: Failed to start domain os-1
error: internal error: cannot load AppArmor profile 'libvirt-
os section of the domain:
<os>
<type arch='x86_64' machine=
<loader readonly='yes' type='pflash'
<nvram>
<boot dev='network'/>
<boot dev='hd'/>
</os>
# ls /usr/share/
OVMF_CODE.fd OVMF.fd OVMF_VARS.fd
# ls /var/lib/
/var/lib/
From libvirt.log:
2019-04-21 14:51:09.481+0000: 9347: error : virCommandWait:2636 : internal error: Child process (LIBVIRT_
2019-04-21 14:51:09.480+0000: 27054: info : hostname: mole
2019-04-21 14:51:09.480+0000: 27054: error : virStorageFileB
2019-04-21 14:51:09.480+0000: 27054: error : virStorageFileB
virt-aa-helper: error: /usr/share/
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
2019-04-21 14:51:09.481+0000: 9347: error : AppArmorGenSecu
# apparmor_parser -d usr.libexec.
Mode: r:r Name: (/usr/share/
# apparmor_parser -d usr.libexec.
----- Debugging built structures -----
Name: virt-aa-helper
Profile Mode: Enforce
Capabilities: dac_override dac_read_search
Network: inet inet6
--- Entries ---
Mode: r:r Name: (/**.[iI][sS][oO])
Mode: r:r Name: (/**.img)
Mode: r:r Name: (/**.qcow{,2})
Mode: r:r Name: (/**.qed)
Mode: r:r Name: (/**.raw)
Mode: r:r Name: (/**.vmdk)
Mode: r:r Name: (/**/disk{,.*})
Mode: r:r Name: (/dev/dri/{,*})
Mode: rwa:rwa Name: (/dev/full)
Mode: wa:wa Name: (/dev/log)
Mode: rwa:rwa Name: (/dev/null)
Mode: r:r Name: (/dev/random)
Mode: r:r Name: (/dev/urandom)
Mode: rwa:rwa Name: (/dev/zero)
Mode: r:r Name: (/etc/apparmor.
Mode: rwa:rwa Name: (/etc/apparmor.
Mode: r:r Name: (/etc/bindresvp
Mode: rm:rm Name: (/etc/ld.so.cache)
Mode: r:r Name: (/etc/ld.so.conf)
Mode: r:r Name: (/etc/ld.
Mode: r:r Name: (/etc/ld.
Mode: r:r Name: (/etc/libnl-
Mode: r:r Name: (/etc/locale.alias)
Mode: r:r Name: (/etc/locale/**)
Mode: r:r Name: (/etc/localtime)
Mode: rwalkmx: Name: (/home/
link: (/**)
Mode: rm:rm Name: (/opt/*
Mode: r:r Name: (/proc/
Mode: r: Name: (/proc/
Mode: r:r Name: (/proc//cpuinfo)
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc//meminfo)
Mode: r:r Name: (/proc//stat)
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc/
Mode: r:r Name: (/proc/
Mode: wa:wa Name: (/run/systemd/
Mode: wa:wa Name: (/run/systemd/
Mode: rwa:rwa Name: (/run/systemd/
Mode: r:r Name: (/sys//
Mode: r:r Name: (/sys//
Mode: r:r Name: (/sys/bus/
Mode: r:r Name: (/sys/devices/)
Mode: r:r Name: (/sys/devices/**)
Mode: rm:rm Name: (/usr/lib/
Mode: rm:rm Name: (/usr/lib/
Mode: rm:rm Name: (/usr/libexec/
Mode: rm:rm Name: (/usr/lib{
Mode: rm:rm Name: (/usr/lib{
Mode: rm:rm Name: (/usr/lib{
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/usr/share/
Mode: r:r Name: (/var/lib/
Mode: r:r Name: (/var/lib/
Mode: r:r Name: (/var/lib/
Mode: r:r Name: (/{,var/
Mode: r:r Name: (/{media,
Mode: r:r Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: r:r Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: rm:rm Name: (/{usr/
Mode: x:x Name: (/{usr/
Mode: r:r Name: ({/home//*,/root}/)
Mode: r:r Name: ({/home/
Mode: rwalkmx: Name: ({/home/
link: (/**)
Mode: r:r Name: (/dev/dasd*)
Mode: r:r Name: (/dev/dm-*)
Mode: r:r Name: (/dev/drbd[0-9]*)
Mode: r:r Name: (/dev/mapper/)
Mode: r:r Name: (/dev/mapper/*)
Mode: r:r Name: (/dev/nvme*)
Mode: r:r Name: (/dev/sd*)
Mode: r:r Name: (/dev/vd*)
Mode: r:r Name: (/dev/zd[0-9]*)
Mode: r:r Name: (/proc/
Mode: rwalkm:rwalkm Name: ({/home/
link: (/**)
Mode: rwa:rwa Name: ({/home/
Mode: rwalkm:rwalkm Name: ({/home/
link: (/**)
Mode: rwa:rwa Name: ({/home/
Mode: rwalkm:rwalkm Name: ({/home/
link: (/**)
ptrace (readby ),
ptrace (tracedby ),
ptrace (read ) virt-aa-helper,
signal (receive ) unconfined,
signal virt-aa-helper,
signal set=(exists),
unix () peer=( label="
unix () peer=( label="
unix (),
unix (),
And from further investigation, setting the profile in complain
mode doesn't allow the vms to start either:
# aa-complain usr.libexec.
Setting /etc/apparmor.
# apparmor_parser -d /etc/apparmor.
----- Debugging built structures -----
Name: virt-aa-helper
Profile Mode: Complain
Capabilities: dac_override dac_read_search
Network: inet inet6
...
# virsh start os-1
error: Failed to start domain os-1
error: internal error: cannot load AppArmor profile 'libvirt-
And the error in the libvirtd.log:
2019-04-21 19:09:41.910+0000: 9349: error : virCommandWait:2636 : internal error: Child process (LIBVIRT_
2019-04-21 19:09:41.909+0000: 41822: info : hostname: mole
2019-04-21 19:09:41.909+0000: 41822: error : virStorageFileB
2019-04-21 19:09:41.909+0000: 41822: error : virStorageFileB
virt-aa-helper: error: /usr/share/
virt-aa-helper: error: skipped restricted file
virt-aa-helper: error: invalid VM definition
This is based in vanilla kernel 5.0.8, apparmor 2.13.2.
Thanks!
José.
description: | updated |
For completeness, this is an output of what happens when I disable apparmor
from the system, the same domain is used:
# virsh start os-1
Domain os-1 started
From libvirtd.log:
2019-04-21 20:59:39.777+0000: 8775: info : libvirt version: 5.2.0 int:8050 : Domain id=1 name='mirror' uuid=6f017442- 432a-4c94- b4dd-3247f524e0 75 is tainted: high-privileges int:8050 : Domain id=1 name='mirror' uuid=6f017442- 432a-4c94- b4dd-3247f524e0 75 is tainted: host-cpu int:8050 : Domain id=2 name='os-1' uuid=34c41008- ab91-483b- 959c-81a7a12ae9 be is tainted: high-privileges int:8050 : Domain id=2 name='os-1' uuid=34c41008- ab91-483b- 959c-81a7a12ae9 be is tainted: host-cpu
2019-04-21 20:59:39.777+0000: 8775: info : hostname: mole
2019-04-21 20:59:39.777+0000: 8775: warning : qemuDomainObjTa
2019-04-21 20:59:39.842+0000: 8775: warning : qemuDomainObjTa
2019-04-21 20:59:49.385+0000: 8774: warning : qemuDomainObjTa
2019-04-21 20:59:49.385+0000: 8774: warning : qemuDomainObjTa
Ignore the mirror domain as it's not ovmf related, and it works
either with or without apparmor.