apparmor prevents libvirt from running pygrub

Bug #1326003 reported by Alvaro Lopez
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
High
Stefan Bader
Trusty
High
Unassigned

Bug Description

On Ubuntu 14.04, while trying to run a VM using Xen + Libvirt I am not able to boot it, because apparmor prevents libivrt from running pygrub:

    type=1400 audit(1401803854.411:30): apparmor="DENIED" operation="exec" profile="/usr/sbin/libvirtd" name="/usr/lib/xen-4.4/bin/pygrub" pid=7237 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Setting libvirtd to complain only workarounds the issue.

The installed versions are:
    ii apparmor 2.8.95~2430-0ubuntu5 amd64 User-space parser utility for AppArmor
    ii libvirt-bin 1.2.2-0ubuntu13.1 amd64 programs for the libvirt libr

SRU Justification (for Trusty):

Impact: Apparmor prevents execution of pygrub from libvirtd / libxl. This prevents Xen PV guests being launched through libvirt.

Fix: Simple addition to the apparmor rules to allow execution of pygrub.

Testcase: Trying to launch a PV guest from libvirt (definition has bootloader set to pygrub and is of type linux) will fail. It succeeds with the change.

Changed in libvirt (Ubuntu):
assignee: nobody → Stefan Bader (smb)
importance: Undecided → High
Revision history for this message
Stefan Bader (smb) wrote :

OK, this should not be hard to change. IIRC libvirt ships its own apparmor rules in Ubuntu. Just need to add pygrub. Must admit I have not looked into Xen PV guests started through libvirt. It used to be even more pain while using the xm toolstack. But that should not prevent us from improving the situation.
I would prepare the change in Utopic and then we could SRU it back into Trusty.

Changed in libvirt (Ubuntu):
status: New → In Progress
Changed in libvirt (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Stefan Bader (smb) wrote :

So it looks like we would need to add the following to debian/apparmor/usr.sbin.libvirtd:

   /lib/udev/scsi_id PUx,
   /lib/udev/scsi_id PUx,
   /usr/lib/xen-common/bin/xen-toolstack PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,

   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
   # write and run an ebtables script.

Revision history for this message
Stefan Bader (smb) wrote :
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.5-0ubuntu4

---------------
libvirt (1.2.5-0ubuntu4) utopic; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow pygrub to be run
    (LP: #1326003)
 -- Stefan Bader <email address hidden> Wed, 18 Jun 2014 11:04:15 +0200

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
Stefan Bader (smb)
description: updated
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Alvaro, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Alvaro Lopez (aloga) wrote :

I've tested the following packages:

    ii libvirt-bin 1.2.2-0ubuntu13.1.2 amd64 programs for the libvirt library
    ii libvirt0 1.2.2-0ubuntu13.1.2 amd64 library for interfacing with different virtualization systems

And it works perfectly, thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.2

---------------
libvirt (1.2.2-0ubuntu13.1.2) trusty; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow libvirtd to run
    libxl-save-helper (required for save restore through libxl).
    (LP: #1334195)
  * debian/apparmor/usr.sbin.libvirtd: allow pygrub to be run
    (LP: #1326003)
  * debian/patches/libxl-Support-PV-consoles.patch
    Enable console support for PV guests (LP: #1334738)
 -- Stefan Bader <email address hidden> Thu, 26 Jun 2014 16:03:42 +0200

Changed in libvirt (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers