Comment 10 for bug 2073214
Revision history for this message
| Christian Ehrhardt (paelzer) wrote Re: hugepages causes permissions error [apparmor profile] | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Thank you Tim for continuing on this.
Thanks for all your efforts in comment #6.
I wonder how you can create a new 24.04 and trigger this while I can not.
At some point we need a third person to decide who of us has the uncommon case.
Thanks for tracking down the denial that you are seeing.
This is all bound to huge page operations and your strace shows it at memfd_create operations.
Those are in qemu.git/
$ cat /home/paelzer/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
// Create an anonymous file in memory with huge pages
int main() {
off_t reqsize = (2*1024*1024);
// Test flags one by one
int mfd = memfd_create(
if (mfd >= 0)
close(mfd);
else
return -1;
mfd = memfd_create(
if (mfd >= 0)
close(mfd);
else
return -1;
int fd = memfd_create(
if (fd == -1) {
}
printf(
// Truncate it to the desired length
if (ftruncate(fd, reqsize) == -1) {
goto err;
}
printf(
// Add seals
if (fcntl(fd, F_ADD_SEALS, 1) == -1) {
goto err;
}
printf("Added seal\n");
// Close the file descriptor
close(fd);
printf(
return 0;
err:
close(fd);
exit(
}
Just like your more complex test with qemu, without an apparmor profile this works just fine.
(Interestingly even without allocating huge pages).
$ ./test
Created
Truncated
Added seal
closed
Running it with the default profile for guests (no custom paths needed) should trigger the same.
So I use this (one might need to adopt paths accordingly) profile.
Inspired by the files we usually generate for the guests:
$ sudo cat /etc/apparmor.
# Last Modified: Mon Jul 22 10:23:53 2024
abi <abi/3.0>,
include <tunables/global>
/home/paelzer/
include <abstractions/
/home/
}
$ sudo apparmor_parser --replace /etc/apparmor.
With that in place I can recreate the problem and the denial matches yours:
$ ./test
Created
truncate: Permission denied
[5365065.306262] audit: type=1400 audit(172163696
I think apparmor struggles to detect and mediate that path accordingly.
name="/" is only there due to a lack of something better.
If I'd not use attach_disconnected it would show as:
- info="Failed name lookup - disconnected path"
- name=""
I tried the same in a Jammy system:
$ apt install libvirt-
# place the test.c in /root
$ gcc -Wall -Werror test.c -o test
# create the matching /etc/apparmor.
$ sudo apparmor_parser --replace /etc/apparmor.
But other than in your case, 22.04 behaved the same in my case.
Also getting
[ 444.373044] audit: type=1400 audit(172163761
So in summary, on one hand the suggested rule fixes it according to your test.
But I think the rule "/ rw" is a bit too open to just add :-)
And I still can't see why my huge page guests work and yours do not, but on the other I could now recreate this at least outside of qemu (there is still works for me)
And with my instruction everyone can recreate this more easily now.
Hence I'm subscribing the package maintainer and expert of apparmor as he might be able to help much better suggesting which rule might be more appropriate for such code (which now is much easier to understand).
@JJ - how should we guard correctly in apparmor to allow usage of for anonymous via memfd_create as allocation backend files?