Ubuntu
apparmor package

AppArmor Regression #1236455 by #1298611

Bug #1327687 reported by Hiroshi Miura
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Affected on kernel 3.13.0-21.43 and later on Trusty.

It may be because 3.13.0-21.43 revert #1236455 fix.

linux (3.13.0-21.43) trusty; urgency=low

  [ John Johansen ]

  * Revert "SAUCE: Add config option to disable new apparmor 3 semantics"
  * Revert "SAUCE: apparmor: fix uninitialized lsm_audit membe"
  * Revert "SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded
    policy"
  * Revert "SAUCE: apparmor: allocate path lookup buffers during init"
  * Revert "SAUCE: apparmor: fix unix domain sockets to be mediated on
    connection"
  * Revert "SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot"
  * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
    - LP: #1298611

linux (3.13.0-2.17) trusty; urgency=low

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor 3 - alpha 4 snapshot
  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
    - LP: #1236455

I've observed a failing of AppArmor policy update with libvirt, qemu and vagrant.

vagrant ask libvirt to create vmimage backing with other qcow2 image that located in another directory.
virt-aa-helper should add it but fails.

/etc/apparmor.d/libvirt/libvirt-ef734772-4f19-4d0a-994d-a7398d178378.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.log" w,
  "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.monitor" rw,
  "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
  "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402186805388_83426.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402186805388_83426" rw,
  "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402186805.img" rw,
  "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
  "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

/var/log/libivrt/libvirtd.log:
Jun 8 09:26:13 tuna kernel: [33901.090187] type=1400 audit(1402187173.746:81): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090212] type=1400 audit(1402187173.746:82): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118
Jun 8 09:26:13 tuna kernel: [33901.090251] type=1400 audit(1402187173.746:83): apparmor="DENIED" operation="open" profile="libvirt-7e96ebdc-d0cc-4c30-9112-64d5aa9955c0" name="/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" pid=19976 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=118 ouid=118

running

sudo aa-complain /usr/lib/libvirt/virt-aa-helper

solves a problem. After running above command, I get following:

/etc/apparmor.d/libvirt/libvirt-ed29623f-5006-4b04-9d71-ac46267ef9fc.files:
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.log" w,
  "/var/lib/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.monitor" rw,
  "/var/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
  "/run/libvirt/**/libreoffice-build-ubuntu-vagrant_default_1402187682182_36451.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.libreoffice-build-ubuntu-vagrant_default_1402187682182_36451" rw,
  "/home/miurahr/.vagrant.d/tmp/storage-pool/box-disk1-1402187682.img" rw,
  "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" r,
  # don't audit writes to readonly files
  deny "/home/miurahr/.vagrant.d/boxes/trusty/0/kvm/box-disk1.img" w,
  "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/**" rw,
  "/home/miurahr/Projects/libreoffice/libreoffice-build-ubuntu-vagrant/" r,

virt-aa-helper generates policy rule and reloaded properly.

The observation tell us a policy in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
  @{HOME}/** r,
  /**.img r,
not working and fails update libvirt policy.

This behavior is same as #1236455.
---
ApportVersion: 2.14.1-0ubuntu3
Architecture: amd64
CurrentDesktop: X-Cinnamon
DistroRelease: Ubuntu 14.04
InstallationDate: Installed on 2010-08-15 (1392 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
NonfreeKernelModules: nvidia
Package: linux
PackageArchitecture: amd64
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=ja_JP.utf8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
ProcVersionSignature: Ubuntu 3.13.0-24.46-generic 3.13.9
Syslog:

Tags: qiana third-party-packages
Uname: Linux 3.13.0-24-generic x86_64
UpgradeStatus: Upgraded to qiana on 2014-04-20 (48 days ago)
UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
_MarkForUpload: True
---
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: X-Cinnamon
DistroRelease: Ubuntu 14.04
InstallationDate: Installed on 2010-08-15 (1393 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
NonfreeKernelModules: nvidia
Package: linux
PackageArchitecture: amd64
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=ja_JP.utf8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=b2b909b5-fe09-4d83-b740-7bbeb6ba0f51 ro quiet splash nomdmonddf nomdmonisw nomdmonddf nomdmonisw crashkernel=384M-:128M
ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
Syslog:
 Jun 8 14:16:36 tuna dbus[701]: [system] AppArmor D-Bus mediation is enabled
 Jun 8 14:23:20 tuna dbus[682]: [system] AppArmor D-Bus mediation is enabled
 Jun 8 14:27:28 tuna dbus[684]: [system] AppArmor D-Bus mediation is enabled
 Jun 8 14:30:27 tuna dbus[697]: [system] AppArmor D-Bus mediation is enabled
Tags: qiana third-party-packages
Uname: Linux 3.13.0-24-generic x86_64
UpgradeStatus: Upgraded to qiana on 2014-04-20 (49 days ago)
UserGroups: adm admin cdrom dialout disk kvm libvirtd lpadmin plugdev sambashare scanner
_MarkForUpload: True

See original description
Hiroshi Miura (miurahr)
affects: linux → linux (Ubuntu)
description: updated
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1327687

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Hiroshi Miura (miurahr) wrote : ApparmorPackages.txt

apport information

tags: added: apport-collected qiana third-party-packages
description: updated
Revision history for this message
Hiroshi Miura (miurahr) wrote : ApparmorStatusOutput.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : Dependencies.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : KernLog.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : PstreeP.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote :

It works with linux-image-3.13.0-24.47, libvirt-bin 1.2.2-0ubuntu13.1 and qemu 2.0.0~rc1+dfsg-0ubuntu3.1 which is updated from trusty-update repository.

description: updated
Revision history for this message
Hiroshi Miura (miurahr) wrote : ApparmorPackages.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : ApparmorStatusOutput.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : Dependencies.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : KernLog.txt

apport information

Revision history for this message
Hiroshi Miura (miurahr) wrote : PstreeP.txt

apport information

Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Hiroshi Miura (miurahr) wrote :

I've updated with trusty-update repository.
The problem was gone after upgrade.

#1 - #6 is a state when it was a problem.
#8-#12 is a state after upgrade.

Revision history for this message
John Johansen (jjohansen) wrote :

thankyou for the updated info

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.