Ubuntu
libvirt package

using .iso files from ~Downloads should work

Bug #2002773 reported by Christian Ehrhardt 
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

FYI: This is a fork of bug 1784001

Here we want to focus on a rather common expectation and use-case.
Which is downloading an IOS => defaults to ~/Downloads/foo.iso

And then using that to create a guest in virt-manager.

We have documented that the use for uncommon paths is insecure and needs explicit admin allowance via apparmor local include files, see "Apparmor isolation" => https://ubuntu.com/server/docs/virtualization-libvirt#apparmor-isolation

But the common paths to be expected are:

 56 @{HOME}/ r,
 57 @{HOME}/** r,
 58 /var/lib/libvirt/images/ r,
 59 /var/lib/libvirt/images/** r,

The latter for typical system usage and working fine (reported as workaround to get it going in the bug this was forked from).
But while one could argue allowing @HOME is a security issue in the first place it was added ages ago for user comfort and for now is as it is.

Due to that virt-aa-helper should be able to read images (and ISO should be just images in that regard) in the home directories and add permissions to access them to the dynamic per-guest profile based on what virt-manager creates.

But we've got reports of permission denied (see https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1784001/comments/9) and that should work.

Next steps:
1. reproduce the situation
2. analyze the created dynamic per-guest apparmor profile (is the .iso there and if so which rule exactly)
3. analyze the permission denied issue, is it apparmor at all, is it file ownership, ... ?

Tags: server-todo
Christian Ehrhardt  (paelzer)
tags: added: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status: New → Confirmed
Revision history for this message
Heather Ellsworth (hellsworth) wrote :

FWIW this did work on 22.10 with libvirt 8.6.0-0ubuntu3.1. My downloaded isos on 22.10 would be owned by my user and usable from the ~/Downloads folder.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Michal please check this for all our active release

Changed in libvirt (Ubuntu):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

I have tested the issue on all active releases. I couldn't reproduce the issue on Bionic, Focal, Jammy and Kinetic containers. I need to check Lunar. I had slight problems with reproducer with that release. The situation on Lunar will be provided this week.

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

I could not reproduce the issue on Lunar as well.

Changed in libvirt (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

In other words, there is no such problem with creating a guest in virt-manager using iso located in the /Downloads dir. That works fine.
Therefore I am going to unassign myself and change the status of the bug to Invalid.

Changed in libvirt (Ubuntu):
assignee: Michał Małoszewski (michal-maloszewski99) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.