Ubuntu
libvirt package

apparmor denial: qemu cannot read /proc/*/cmdline

Bug #1693115 reported by Martin Pitt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

When using libvirt to run QEMU instances, I get an AppArmor violation:

type=1400 audit(1495609606.700:14): apparmor="DENIED" operation="open" profile="libvirt-fd3f661a-7fe3-4ab2-b1e8-d16efb5107c5" name="/proc/1210/cmdline" pid=6002 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

This should be mostly harmless, but it does trigger a red flag in Cockpit's tests. This does not happen yet on Ubuntu 16.04.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: libvirt-daemon-system 2.5.0-3ubuntu5
ProcVersionSignature: Ubuntu 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4
Architecture: amd64
Date: Wed May 24 03:10:38 2017
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.libvirt.nwfilter.allow-arp.xml: 2017-05-18T03:58:12.624084
mtime.conffile..etc.libvirt.nwfilter.allow-dhcp-server.xml: 2017-05-18T03:58:13.244394
mtime.conffile..etc.libvirt.nwfilter.allow-dhcp.xml: 2017-05-18T03:58:13.140342
mtime.conffile..etc.libvirt.nwfilter.allow-incoming-ipv4.xml: 2017-05-18T03:58:12.932238
mtime.conffile..etc.libvirt.nwfilter.allow-ipv4.xml: 2017-05-18T03:58:13.192368
mtime.conffile..etc.libvirt.nwfilter.clean-traffic.xml: 2017-05-18T03:58:13.044294
mtime.conffile..etc.libvirt.nwfilter.no-arp-ip-spoofing.xml: 2017-05-18T03:58:13.344444
mtime.conffile..etc.libvirt.nwfilter.no-arp-mac-spoofing.xml: 2017-05-18T03:58:12.836190
mtime.conffile..etc.libvirt.nwfilter.no-arp-spoofing.xml: 2017-05-18T03:58:12.688116
mtime.conffile..etc.libvirt.nwfilter.no-ip-multicast.xml: 2017-05-18T03:58:12.884214
mtime.conffile..etc.libvirt.nwfilter.no-ip-spoofing.xml: 2017-05-18T03:58:12.788166
mtime.conffile..etc.libvirt.nwfilter.no-mac-broadcast.xml: 2017-05-18T03:58:13.292418
mtime.conffile..etc.libvirt.nwfilter.no-mac-spoofing.xml: 2017-05-18T03:58:12.984264
mtime.conffile..etc.libvirt.nwfilter.no-other-l2-traffic.xml: 2017-05-18T03:58:12.736140
mtime.conffile..etc.libvirt.nwfilter.no-other-rarp-traffic.xml: 2017-05-18T03:58:13.092318
mtime.conffile..etc.libvirt.nwfilter.qemu-announce-self-rarp.xml: 2017-05-18T03:58:13.396470
mtime.conffile..etc.libvirt.nwfilter.qemu-announce-self.xml: 2017-05-18T03:58:12.572058
mtime.conffile..etc.libvirt.qemu.networks.default.xml: 2017-05-18T03:58:12.303924

Revision history for this message
Martin Pitt (pitti) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Martin,
I just released a fix for this via bug 1680384.

/etc/apparmor.d/abstractions/libvirt-qemu should now have a line like:
  /proc/*/cmdline r,

Xenial isn't affected as the qemu code there did not yet try to report who killed it (that is what it reads it for).
Fixed in Artful for about 3 weeks now, release into Yakkety and Zesty just recently.

Due to the timing of your report I'm somewhat scared if the release of the fix for you had kind of the inverse effect?

Could you please check bug 1680384 which is what I released the fixes with?
And let me know if you are good with the new versions now?

In the worst case this is an update-regression, but for now I hope that was just accidental timing on your report and you are actually benefiting from me having this fixed already.

cu
Christian

Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

Sure enough it works with the fix in bug 1680384, my test image didn't have that SRU yet.

Love it when bugs get retroactively fixed, thanks Christian!

Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.