LibVirt Apparmor profile has qemu-bridge-helper listed in the wrong directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Eoan |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* Upstream changed the apparmor profiles of libvirt to be named profiles
(instead of being path based). Yet some rules still sued the odl paths,
so they no more applied.
* Backport the upstreamed fix to have the rules match and let qemu-
bridge-helper work again.
[Test Case]
* #1 Static
The installed rules should use labels
# grep qemu_bridge_helper /etc/apparmor.
good:
unix ... peer=(label=
bad:
unix ... peer=(label=
Essentially the change of the patch applied needs to reach the system
* #2 dynamic
$ apt install virt-manager
# Prep qemu-bridge helper
$ sudo mkdir /etc/qemu/
$ echo "allow virbr0" | sudo tee -a /etc/qemu/
$ sudo chown ubuntu:libvirt-qemu /etc/qemu/
$ sudo chmod 0640 /etc/qemu/
$ sudo chmod u+s /usr/lib/
# create a system of your choice e.g. based on an ubuntu iso
$ wget http://
$ mv mini.iso .local/
$ virt-manager
# use the session connection
# "Add connection", select "user session"
# "Create guest" under "user session"
# On the network tab change "usermode networking" to "Specify shared
device name"
# Bridge name is "virbr0"
# Starting the guest will net a fail and apparmor denies:
[985025.273241] audit: type=1400 audit(158443678
[985025.273245] audit: type=1400 audit(158443678
[985025.273586] audit: type=1400 audit(158443678
This is due to the bridge helper being a Cx rule and not detecting it correctly.
There are further blockers since the usage of the helper is insecure and needs further steps, but those denies apparmor should no more trigger which is enough for this test.
[Regression Potential]
* This change will re-enable an apparmor profile that was formerly not
detected and active correctly. For libvirt that means it was unable to
send/recive from qemu-bridge-helper and now it is - don't see a
problem on that.
But if people added some custom measures to get this part of the
communication right then the change will start to apparmor-guard qemu-
bridge-helper which it wasn't before. That could trigger apparmor
denials for them - OTOH for years there was no denial reported since
that was the same from Precise to Disco so I doubt this is a real
issue that will happen.
[Other Info]
* n/a
--
On the last update of libvirt-
qemu-system-common: /usr/lib/
The /etc/apparmor.
Not sure if this is the correct place for this bug.
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 96 lines (+74/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1655111-apparmor-fix-qemu_bridge_helper-for-named-profile.patch (+66/-0)
CVE References
description: | updated |
This is on:
Description: Ubuntu Zesty Zapus (development branch)
Release: 17.04