prometheus-libvirt-exporter-snap

Libvirt AppArmor profile blocks ptrace call from snap

Bug #1954934 reported by Giuseppe Petralia
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Prometheus libvirt exporter charm
Fix Released
Undecided
Unassigned
prometheus-libvirt-exporter-snap
Won't Fix
Undecided
Unassigned

Bug Description

the exporter uses the libvirt interface.
When it is connected even if it is able to collect correctly all the metrics the kernel keeps logging:

```
Dec 15 11:43:57 peppepetra-XPS-13 kernel: [179654.196285] audit: type=1400 audit(1639565037.354:20192): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"
Dec 15 11:44:10 peppepetra-XPS-13 kernel: [179667.726772] audit: type=1400 audit(1639565050.886:20210): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"
Dec 15 11:44:16 peppepetra-XPS-13 kernel: [179673.103116] audit: type=1400 audit(1639565056.262:20211): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"
```

Related branches

~peppepetra/charm-prometheus-libvirt-exporter:lp-1954934
🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
James Troup (community): Needs Fixing
Canonical IS Reviewers: Pending requested
BootStack Reviewers: Pending requested
Diff: 176 lines (+109/-5)
6 files modified
Makefile (+3/-2)
src/reactive/prometheus-libvirt-exporter.py (+27/-0)
src/tests/unit/__init__.py (+1/-0)
src/tests/unit/requirements.txt (+4/-0)
src/tests/unit/test_prometheus_libvirt_exporter.py (+69/-0)
src/tox.ini (+5/-3)
Revision history for this message
Giuseppe Petralia (peppepetra) wrote :

Related bug https://bugs.launchpad.net/snapd/+bug/1954935

Revision history for this message
Giuseppe Petralia (peppepetra) wrote :

Given that output doesn't change if ptrace is denied or allowed, I propose to fix that with a charm hook that needs to:

1. Update local/usr.sbin.libvirtd apparmor profile adding:
   deny ptrace (read) peer=snap.prometheus-libvirt-exporter.daemon,

2. Reload libvirtd apparmor profile:
   apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd

Ref. https://wiki.debian.org/AppArmor/HowToUse#Edit_AppArmor_profiles

Giuseppe Petralia (peppepetra)
Changed in charm-prometheus-libvirt-exporter:
status: New → Fix Committed
JamesLin (jneo8)
Changed in charm-prometheus-libvirt-exporter:
status: Fix Committed → Fix Released
Revision history for this message
JamesLin (jneo8) wrote :

This bug don't require change in snap

Changed in prometheus-libvirt-exporter-snap:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.