virt-aa-helper Apparmor profile missing rules for name resolution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt | ||
Xenial |
Fix Released
|
Medium
|
Christian Ehrhardt |
Bug Description
[Impact]
* Apparmor denies several hostname related accesses by libvirt causing
severe slowdowns in some cases.
[Test Case]
* Note: while there are various ways to trigger it - many have seen the
issue, but often it is unclear when exactly it will trigger or does no
more. So some of the repo-cases have proven to be unreliable - thanks
Simon for this Repro howto listed here. (simplified as it turned out
zvols are not needed according to comment #22)
1) Sync Xenial cloud-image
uvt-simplestrea
2) Create a test guest with:
uvt-kvm create --memory 2048 --cpu 4 --password=ubuntu xenial-kernel-test release=xenial arch=amd64 label=daily
3) strop it and add an extra volume in a way like this snippet
$ virsh shutdown xenial-kernel-test
$ virsh edit xenial-kernel-test
<disk type='file' device='disk'>
<driver name='qemu' type='raw' cache='none'/>
<source file='/dev/sda4'/>
<target dev='vdc' bus='virtio'/>
</disk>
4) start the guest
virsh start xenial-kernel-test
6) check for apparmor denial messages
dmesg | tail | grep apparmor
Without the fix, Apparmor would report denials when accessing /etc/nsswitch.conf, /etc/host.conf, /etc/gai.conf, /run/resolvconf
With the fix in place no related Apparmor denials show up.
[Regression Potential]
* The fix is rather small and "only" opens up apparmor confinement a bit.
That makes us assume that the potential for regression should be
minimal.
###############
Original description:
With libvirt-bin 1.3.1, starting a QEMU guest results in those AA denials:
Feb 17 12:06:23 simon-laptop kernel: [15734.513696] audit: type=1400 audit(145572878
Feb 17 12:06:23 simon-laptop kernel: [15734.513718] audit: type=1400 audit(145572878
Feb 17 12:06:23 simon-laptop kernel: [15734.513734] audit: type=1400 audit(145572878
Feb 17 12:06:23 simon-laptop kernel: [15734.513885] audit: type=1400 audit(145572878
virt-aa-helper's AA profile hasn't changed recently so it seems like the helper is doing more in this release.
Additional information:
$ lsb_release -rd
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
$ apt-cache policy apparmor libvirt-bin
apparmor:
Installed: 2.10-3ubuntu1
Candidate: 2.10-3ubuntu1
Version table:
*** 2.10-3ubuntu1 500
500 http://
100 /var/lib/
libvirt-bin:
Installed: 1.3.1-1ubuntu1
Candidate: 1.3.1-1ubuntu1
Version table:
*** 1.3.1-1ubuntu1 500
500 http://
100 /var/lib/
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-5-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Feb 17 13:08:04 2016
KernLog:
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
Changed in libvirt (Ubuntu): | |
importance: | Undecided → High |
Changed in libvirt (Ubuntu): | |
status: | Confirmed → Triaged |
tags: | added: bitesize server-next |
Changed in libvirt (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in libvirt (Ubuntu): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Thanks I see that here too.
status confirmed