Ubuntu
libvirt package

STC860:Tuleta-L:KVM:iap01:Ubuntu 16.10 KVM logs apparmor="DENIED"

Bug #1615550 reported by bugproxy on 2016-08-22

This bug affects 7 people

Affects

Status

Importance

Assigned to

Milestone

libvirt (Ubuntu)

Fix Released

Medium

Christian Ehrhardt 

You need to log in to change this bug's status.

Affecting:	libvirt (Ubuntu)
Filed here by:	bugproxy
When:	2016-08-22
Confirmed:	2016-10-07
Assigned:	2016-08-22
Started work:	2016-11-14
Completed:	2016-11-22

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Medium

Assigned to

	Me
	Christian Ehrhardt  (paelzer)

Comment on this change (optional)

Email me about changes to this bug report

Yakkety

Won't Fix

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:	libvirt (Ubuntu Yakkety)
Filed here by:	Christian Ehrhardt 
When:	2016-11-22
Completed:	2016-11-22

Package

Status	Importance
	Undecided

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

== Comment: #0 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:43 ==

== Comment: #1 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:44 ==
==== State: Open by: panico on 12 August 2016 13:31:50 ====

Contact Information:
====================
Defect Originator: Michael Panico
Defect Originator <email address hidden>

System Info:
============
Machine Type:............8284-22A
Card Type:...............FSP2_P8LE
Current Boot Side:.......T
Next Boot Side:..........T
PT_Swap:.................0
Current Side Driver:.....fips860/b0726a_1632.860

Ubuntu 16.10 KVM host:
root@iaos1:~# uname -a
Linux iaos1 4.4.0-30-generic #49-Ubuntu SMP Fri Jul 1 10:00:36 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
root@iaos1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Yakkety Yak (development branch)
Release: 16.10
Codename: yakkety

Code levels for related pkgs:
virt-manager 1:1.3.2-3
libvirt-bin 1.3.4-1
apparmor 2.10.95-0
qemu-kvm 1:2.6+dfsg-3

Problem Description:
====================
The Ubuntu 16.10 KVM host logs this messages repeatedly:
[Fri Aug 12 10:07:52 2016] audit: type=1400 audit(1471014479.742:45871): apparmor="DENIED" operation="open" profile="libvirt-5142132a-6e25-413a-b84d-579ce9c23bd5" name="/proc/77712/task/99146/comm" pid=99145 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110

== Comment: #9 - SANDHYA VENUGOPALA <email address hidden> - 2016-08-22 04:42:14 ==

Problem Description:
====================
The Ubuntu 16.10 KVM host logs this messages repeatedly:

Aug 14 04:17:06 iaos1 kernel: [410279.287630] audit: type=1400 audit(1471166226.271:73588): apparmor="DENIED" operation="open" profile="libvirt-2da97bd6-6370-47fa-83bd-3cb8e0836c21" name="/proc/76973/task/143582/comm" pid=76973 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110
Aug 14 04:17:06 iaos1 kernel: [410279.532212] audit: type=1400 audit(1471166226.519:73589): apparmor="DENIED" operation="open" profile="libvirt-66e1f4d0-ca76-4d4f-93ad-44c03cafb1c7" name="/proc/77477/task/143583/comm" pid=77477 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110
Aug 14 04:17:19 iaos1 kernel: [410292.483319] audit: type=1400 audit(1471166239.467:73590): apparmor="DENIED" operation="open" profile="libvirt-66e1f4d0-ca76-4d4f-93ad-44c03cafb1c7" name="/proc/77477/task/143584/comm" pid=77477 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110

from ur.sbin.libvirtd -

# force the use of virt-aa-helper
  audit deny /sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
  /usr/lib/libvirt/* PUxr,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,

Its seems like libvirt's apparmor policy needs to be updated in Ubuntu 16.10

Tags: Edit Tag help

bugproxy (bugproxy) on 2016-08-22

tags:	added: architecture-ppc64le bugnameltc-144906 severity-high targetmilestone-inin1610
Changed in ubuntu:
assignee:	nobody → Taco Screen team (taco-screen-team)
affects:	ubuntu → libvirt (Ubuntu)

bugproxy (bugproxy) wrote on 2016-09-12: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-09-12 12:05 EDT-------
== Comment: #1 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:44 ====== State: Assigned by: cde00 on 12 September 2016 11:04:44 ====

Christian Ehrhardt  (paelzer) wrote on 2016-10-07:

Confirmed by SMB

Launchpad Janitor (janitor) wrote on 2016-10-07:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status:	New → Confirmed

Christian Ehrhardt  (paelzer) on 2016-10-07

Changed in libvirt (Ubuntu):
importance:	Undecided → Medium

Christian Ehrhardt  (paelzer) wrote on 2016-10-07:

Checking the code I'd expect that this kind of access is from:

static void qemu_thread_set_name(QemuThread *thread, const char *name)
{
#ifdef CONFIG_PTHREAD_SETNAME_NP
pthread_setname_np(thread->thread, name);
#endif
}

This is non fatal, just fails to set the thread name (note that the return value is intentionally ignored).

The code itself if rather old (since qemu 2.0) but not enabled by default.
You could be enabled by:
-name debug-threads=on

Since this change it is enabled by default by libvirt if supported:
https://www.redhat.com/archives/libvir-list/2016-March/msg00428.html

So with Yakkety you get e.g.
-name guest=testvm1,debug-threads=on
While on Xenial you got:
-name guest=testvm1

That feature enabled is what triggers the apparmor issues now.

Changed in libvirt (Ubuntu):
status:	Confirmed → Triaged

Christian Ehrhardt  (paelzer) on 2016-10-19

Changed in libvirt (Ubuntu):
assignee:	Taco Screen team (taco-screen-team) → ChristianEhrhardt (paelzer)

Christian Ehrhardt  (paelzer) wrote on 2016-10-24:

Hi,
sometimes the verification of this bug seems to elude me.

So I made a test build available for you to test if the package in https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages would help you to get rid of the reported issue.

Simon Déziel (sdeziel) wrote on 2016-10-26:

aa-libvirt-qemu.patch Edit (420 bytes, text/plain)

Hi Christian,

While looking at LP: #1546674 I ran into this bug as well. Your PPA package patches the usr.sbin.libvirtd profile but I think the right place to add the rule is in the abstraction/libvirt-qemu profile extract.

I added a similar but slightly more restrictive rule in the attached patch. With that patch in, I no longer get AA denials for /proc/$pid/task/*/comm.

bugproxy (bugproxy) wrote on 2016-10-26:

------- Comment From <email address hidden> 2016-10-26 16:57 EDT-------
cde00 (<email address hidden>) added native attachment /tmp/AIXOS06098138/aa-libvirt-qemu.patch on 2016-10-26 15:57:26

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2016-10-27:

The attachment "aa-libvirt-qemu.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Christian Ehrhardt  (paelzer) wrote on 2016-10-27:

Hi Simon,
as stated in the other bug I can only agree!

Thanks - I made a new version ready to test for Yakkety available in the ppa.

bugproxy (bugproxy) wrote on 2016-11-02:

#10

------- Comment From <email address hidden> 2016-11-02 10:40 EDT-------
==== State: Assigned by: mgrosch on 02 November 2016 09:33:55 ====

#=#=# 2016-11-02 09:33:53 (CDT) #=#=#
New Fix_Potential = [GSI_HDW]

not a super high priority for 11/18 GA - we should try out the latest change though
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

Christian Ehrhardt  (paelzer) on 2016-11-14

Changed in libvirt (Ubuntu):
status:	Triaged → In Progress

Christian Ehrhardt  (paelzer) wrote on 2016-11-14:

#11

FYI - Fix pushed to Zesty

Since it is non fatal I did not consider an SRU so far.

Christian Ehrhardt  (paelzer) wrote on 2016-11-14:

#12

What worked last week doesn't have to this week - I ran into an FTBFS - please wait a bit until resolved.

bugproxy (bugproxy) wrote on 2016-11-18:

#13

------- Comment From <email address hidden> 2016-11-18 10:59 EDT-------

bugproxy (bugproxy) wrote on 2016-11-18: kernel logs

#14

kernel logs Edit (11.0 MiB, application/gzip)

Default Comment by Bridge

bugproxy (bugproxy) wrote on 2016-11-18: dmesg output after reboot

#15

dmesg output after reboot Edit (19.9 KiB, application/gzip)

Default Comment by Bridge

bugproxy (bugproxy) wrote on 2016-11-18: usr.sbin.libvirt.d

#16

usr.sbin.libvirt.d Edit (942 bytes, application/gzip)

Default Comment by Bridge

Christian Ehrhardt  (paelzer) wrote on 2016-11-21:

#17

FYI - this is still waiting to migrate, so while the fix is committed you can not get it via an apt-get update, so it is expected to still fail atm.

Launchpad Janitor (janitor) wrote on 2016-11-22:

#18

This bug was fixed in the package libvirt - 2.1.0-1ubuntu13

---------------
libvirt (2.1.0-1ubuntu13) zesty; urgency=medium

  * drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change
    in gnutls has been reverted (LP: #1641615)
  * Build depend on gnutls >= 3.5.6-4ubuntu2 to build after the gnutls fix
    migrated

-- Christian Ehrhardt <email address hidden> Thu, 17 Nov 2016 08:43:10 +0100

Changed in libvirt (Ubuntu):
status:	In Progress → Fix Released

Christian Ehrhardt  (paelzer) wrote on 2016-11-22:

#19

Since the issue is non-fatal and not a super-high-prio-feature to be needed I refuse to do an SRU of this into Yakkety without anybody explicitly requesting that.
Pre-Yakkety the issue was not existing (came in upstream in 2.x)
I add a task for Yakkety and flag it so that this state is clear.