Ubuntu
libvirt package

apparmor profile for libvirt does not allow hooks to be executed

Bug #891472 reported by Someone
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned

Bug Description

==============================================================
SRU Justification:
1. Impact: libvirt hooks cannot be used
2. Development fix: add apparmor rule to allow use of libvirt hooks
3. Stable fix: same as development fix
4. Test case:
 a. install libvirt
 b. create /etc/libvirt/hooks/daemon containing:
#!/bin/sh << EOF
date >> /tmp/libvirt-hook-debug
EOF
 c. stop libvirt-bin; start libvirt-bin
 d. check whether /tmp/libvirt-hook-debug exists
5. Regression potential: if the profile has a syntax error, it could cause problems loading the profile, or lead to too much or insufficient privilege for libvirt to run.
==============================================================
The hooks documented in http://www.libvirt.org/hooks.html cannot be executed, there are no mention of them in apparmor profile.

For example, "daemon" hook produces this message in the log:

Nov 17 06:54:06 nexus kernel: [ 8914.624912] type=1400 audit(1321498446.082:65): apparmor="DENIED" operation="exec" parent=4756 profile="/usr/sbin/libvirtd" name="/etc/libvirt/hooks/daemon" pid=4757 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Description: Ubuntu 11.10
Release: 11.10

libvirt-bin:
  Installed: 0.9.2-4ubuntu15.1
  Candidate: 0.9.2-4ubuntu15.1
  Version table:
 *** 0.9.2-4ubuntu15.1 0
        500 http://xx.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.2-4ubuntu15 0
        500 http://xx.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

See original description
Tags: apparmor

Related branches

lp:ubuntu/precise/libvirt
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should work if you add the following to /etc/apparmor.d/bin/usr.sbin.libvirtd (under the '/usr/bin/* PUx' rule):
  /etc/libvirt/hooks/* ix,

Hooks are called by the trusted libvirtd daemon, not by the AppArmor protected guests so this rule is safe to add to the AppArmor profile as libvirtd is expected to run (essentially) unconfined.

Changed in libvirt (Ubuntu):
status: New → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@Jamie,

should that be added to the profile in precise?

Changed in libvirt (Ubuntu):
importance: Undecided → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

If the bug reporter reports that adding it and performing 'apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd' solves the problem for him, sure.

Revision history for this message
Lee T. Schermerhorn (lee-schermerhorn) wrote :

I can verify that the following rule does allow libvirtd to execute hooks:

  /etc/libvirt/hooks/** rmix,

Notes:

1) I actually modified /etc/apparmor.d/bin/usr.sbin.libvirtd to contain:

    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.libvirtd>

like other profiles, because I thought the profile should support local additions [a separate issue, I know]. Then, I added the hooks rule above in /etc/apparmor.d/bin/local/usr.sbin.libvirtd. But, really, the hooks rule should be part of the base libvirtd profile.

2) I used the '**' because I use generic daemon and qemu hook scripts that look for "sub-hooks" under /etc/libvirt/hooks/{daemon.d,qemu.d} named <event>-<seq#>-<description> and invoke them in <seq#> order for the current <event>. I did it this way so I could add and remove sub-hooks at will, keeping different features in separate scripts and not polluting the hooks directory namespace any more that I had to -- *.d.

Personally, I'd like to see any official update to the profile use the '**' format, so I don't need to patch that locally.

What's the possibility of back porting the fix to currently supported releases?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks, I'll do both those changes in precise and SRU them.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.7-2ubuntu4

---------------
libvirt (0.9.7-2ubuntu4) precise; urgency=low

  * debian/apparmor/usr.sbin.libvirtd:
    - allow access to /etc/libvirt/hooks/** (LP: #891472)
    - #include <local/usr.sbin.libvirtd> for site-local customizations
  * debian/control: Suggest cgroup-lite | cgroup-bin (LP: #544146)
  * debian/patches/ubuntu/apparmor-allow-tunnelled-migration-2.patch:
    Warn but don't error out when we can't find a pathname for a file.
    This is needed to support tunnelled migration. (LP: #869553)
 -- Serge Hallyn <email address hidden> Fri, 02 Dec 2011 11:50:47 -0600

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Serge Hallyn (serge-hallyn)
description: updated
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Not valid for lucid as the code did not yet support hooks)

Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu Maverick):
status: New → Won't Fix
Changed in libvirt (Ubuntu Natty):
status: New → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".

Changed in libvirt (Ubuntu Oneiric):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.