Ubuntu
libvirt package

Custom rom location is not allowed by aa-helper

Bug #1466911 reported by Andrey Korolyov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Please find that the currently the code in the aa-helper forbids rare, though possible config type:

  <os>
...
    <loader>/usr/share/seabios/bios.bin-1.7.5</loader>
...
  </os>

internal error: Child process (/usr/lib/libvirt/virt-aa-helper -p 0 -r -u libvirt-866ba0e5-405e-442c-8544-fea8171a65c5) unexpected exit status 1: Failed to read classid file: No Access
virt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper: error: /usr/share/seabios/bios.bin-1.7.5

Also there is a trivial change for reading /etc/ceph/keyring.bin as the Ceph-enabled setups are flooding logs with this forbidden location as well.

See original description
Tags: apparmor
Andrey Korolyov (xdeller)
summary: - Custom rom and socket locations is not allowed by aa-helper
+ Custom rom and socket locations are not allowed by aa-helper
Revision history for this message
Andrey Korolyov (xdeller) wrote : Re: Custom rom and socket locations are not allowed by aa-helper

Partially duplicated by #1015154

summary: - Custom rom and socket locations are not allowed by aa-helper
+ Custom rom location are not allowed by aa-helper
description: updated
Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → High
Andrey Korolyov (xdeller)
summary: - Custom rom location are not allowed by aa-helper
+ Custom rom location is not allowed by aa-helper
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Interesting. The needed path is actually provided by /etc/apparmor.d/abstractions/libvirt-qemu, but virt-aa-helper sees the loader and proceeds to try to add the path. Because the path a restricted one (under /usr/share), it is automatically rejected.

A workaround is to copy the bios to another path, i.e. /opt/bios.bin, and specify that path.

Marking this low priority because of the workaround, however this really ought to be fixed upstream.

I'm not sure what a proper fix would be. Perhaps vah_add_path() should simply first check whether the policy specified this far already allows the path.

Changed in libvirt (Ubuntu):
importance: High → Medium
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(medium, not low, priority)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.