libvirt/libxl: Failing to save guest due to apparmor denial

Bug #1334195 reported by Stefan Bader
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Stefan Bader
Trusty
Undecided
Unassigned

Bug Description

Another glitch when moving from the xm to the xl toolstack: libvirtd needs to run /usr/lib/xen-4.4/bin/libxl-save-helper but is denied by the apparmor profile. Need to add:

/usr/lib/xen-4.4/bin/* PUx,

to the profile. Or even generally allow

/usr/lib/xen-*/bin/* PUx,

which would match both xen-common/bin and any xen-<version>/bin.

SRU Justification (for Trusty):

Impact: Apparmor will prevent libvirt to save a Xen guest via libxl because the helper command cannot be executed from libvirtd.

Fix: Add the following rule to the libvirtd apparmor profile:
  /usr/lib/xen-*/bin/libxl-save-helper PUx,

Testcase: Start a (HVM) guest via libvirt, then run save (virsh). This will fail without the additional rule but succeed when it is added.

Stefan Bader (smb)
Changed in libvirt (Ubuntu):
status: New → Confirmed
assignee: nobody → Stefan Bader (smb)
importance: Undecided → Medium
Revision history for this message
Stefan Bader (smb) wrote :

After thinking and playing around with it, I think the rules should not be too loose. So will go with:

/usr/lib/xen-*/bin/libxl-save-helper PUx,

description: updated
Revision history for this message
Stefan Bader (smb) wrote :
Stefan Bader (smb)
Changed in libvirt (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.5-0ubuntu5

---------------
libvirt (1.2.5-0ubuntu5) utopic; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow libvirtd to run
    libxl-save-helper (required for save restore through libxl).
    (LP: #1334195)
 -- Stefan Bader <email address hidden> Thu, 26 Jun 2014 15:53:05 +0200

Changed in libvirt (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Stefan, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Stefan Bader (smb) wrote :

Ran save/restore on a PV guest via libx/libvirt (with the proposed package). Works as it should.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.2

---------------
libvirt (1.2.2-0ubuntu13.1.2) trusty; urgency=low

  * debian/apparmor/usr.sbin.libvirtd: allow libvirtd to run
    libxl-save-helper (required for save restore through libxl).
    (LP: #1334195)
  * debian/apparmor/usr.sbin.libvirtd: allow pygrub to be run
    (LP: #1326003)
  * debian/patches/libxl-Support-PV-consoles.patch
    Enable console support for PV guests (LP: #1334738)
 -- Stefan Bader <email address hidden> Thu, 26 Jun 2014 16:03:42 +0200

Changed in libvirt (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers