apparmor denies related to nvdimms/nfit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
[Impact]
* Backport the apparmor rules that I upstreamed (have ack of JDstrand)
to avoid nvdimm nitialization of libpmem (done always even if not used)
to not spill Denials into the log all the time.
* The upload also contains a backport of a CVE fix I was pointed to
by mdeslaur
[Test Case]
* Start qemu and check apparmor denials (pre tested on PPAs)
* Check virsh interaction if any timeouts change (I've seen none in pre-
tests)
[Regression Potential]
* This is not adding new denials, only adding allows. Thereby the
regression risk is minimal.
If anything then allowing to read "/" itself would be disallowed in some
environments, but according to jdstrand it is safe in any LSB compliant
sytems and as always users that want extra isolation can add denial
rules to local apparmor overrides.
* The timeout is safe as well as it does not add/remove timeouts, instead
it only forbids changing it via the read-only connection
[Other Info]
* This isn't technically an SRU, but I have learned that filling these
templates helps the release Team to accept changes while in 20.04 Freeze
time.
---
On guest start I see:
apparmor="DENIED" operation="open" profile=
apparmor="DENIED" operation="open" profile=
The latter could be allowed if we understand why it happens?
The former looks like a programming error and I'd want to know where it comes from exactly.
CMDline was
usr/bin/
-name guest=f-
-S \
-object secret,
-machine pc-q35-
-cpu qemu64 \
-m 4096 \
-overcommit mem-lock=off \
-smp 8,sockets=
-uuid 2afb2039-
-no-user-config \
-nodefaults \
-chardev socket,
-mon chardev=
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-device pcie-root-
-device pcie-root-
-device pcie-root-
-device pcie-root-
-device pcie-root-
-device pcie-root-
-device pcie-root-
-device qemu-xhci,
-device virtio-
-blockdev '{"driver"
-blockdev '{"node-
-blockdev '{"driver"
-blockdev '{"node-
-device virtio-
-blockdev '{"driver"
-blockdev '{"node-
-device virtio-
-netdev tap,fd=
-device virtio-
-chardev pty,id=charserial0 \
-device isa-serial,
-chardev socket,
-device virtserialport,
-vnc 127.0.0.1:0 \
-spice port=5901,
-device qxl-vga,
-device virtio-
-sandbox on,obsolete=
-msg timestamp=on
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 125 lines (+97/-0)4 files modifieddebian/changelog (+10/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch (+47/-0)
debian/patches/ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch (+38/-0)
CVE References
Changed in libvirt (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Christian Ehrhardt (paelzer) |
importance: | Undecided → High |
description: | updated |
description: | updated |
/sys/bus/nd should be NFIT-ND as described in https:/ /lwn.net/ Articles/ 640891/