virt-aa-helper does not whitelist actual <source dev='...'> paths for domain <disk type='volume'>
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Release: 14.04
Package: libvirt-bin
Version: 1.2.2-0ubuntu13.1.1
For a normal block-based LVM disk definition
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/
<target dev='vda' bus='virtio'/>
</disk>
virt-aa-helper will generate "/dev/dm-X rw" rules in the /etc/apparmor.
"/dev/dm-10" rw,
However, using a storage pool:
<pool type='logical'>
<name>lvm</name>
<source>
<name>
</source>
<target>
<path>
</target>
</pool>
to create the volume:
<volume>
<name>
<capacity>
</volume>
and attempting to use the equivalent:
<disk type='volume' device='disk'>
<driver name='qemu' type='raw'/>
<source pool='lvm' volume=
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</disk>
Results in the following with `virsh start guest`
error: Failed to start domain guest
error: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/dev/
And:
[164096.938448] type=1400 audit(140559601
[164096.938472] type=1400 audit(140559601
[164096.938515] type=1400 audit(140559601
The apparmor libvirt-*.files does not contain any /dev/dm-* rules.
I'm not familar enough with the virAppArmorSecu
qemuTranslateDi
tags: | added: patch |
Thanks - reproduced that here on utopic. Since there is an obvious
workaround, I'll mark this medium, not high, priority.
status: triaged
importance: medium