STC860:Tuleta-L:KVM:iap01:Ubuntu 16.10 KVM logs apparmor="DENIED"

Bug #1615550 reported by bugproxy on 2016-08-22
40
This bug affects 7 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Medium
Christian Ehrhardt 
Yakkety
Undecided
Unassigned

Bug Description

== Comment: #0 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:43 ==

== Comment: #1 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:44 ==
==== State: Open by: panico on 12 August 2016 13:31:50 ====

Contact Information:
====================
Defect Originator: Michael Panico
Defect Originator <email address hidden>

System Info:
============
Machine Type:............8284-22A
Card Type:...............FSP2_P8LE
Current Boot Side:.......T
Next Boot Side:..........T
PT_Swap:.................0
Current Side Driver:.....fips860/b0726a_1632.860

Ubuntu 16.10 KVM host:
root@iaos1:~# uname -a
Linux iaos1 4.4.0-30-generic #49-Ubuntu SMP Fri Jul 1 10:00:36 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
root@iaos1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Yakkety Yak (development branch)
Release: 16.10
Codename: yakkety

Code levels for related pkgs:
virt-manager 1:1.3.2-3
libvirt-bin 1.3.4-1
apparmor 2.10.95-0
qemu-kvm 1:2.6+dfsg-3

Problem Description:
====================
The Ubuntu 16.10 KVM host logs this messages repeatedly:
[Fri Aug 12 10:07:52 2016] audit: type=1400 audit(1471014479.742:45871): apparmor="DENIED" operation="open" profile="libvirt-5142132a-6e25-413a-b84d-579ce9c23bd5" name="/proc/77712/task/99146/comm" pid=99145 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110

== Comment: #9 - SANDHYA VENUGOPALA <email address hidden> - 2016-08-22 04:42:14 ==

Problem Description:
====================
The Ubuntu 16.10 KVM host logs this messages repeatedly:

Aug 14 04:17:06 iaos1 kernel: [410279.287630] audit: type=1400 audit(1471166226.271:73588): apparmor="DENIED" operation="open" profile="libvirt-2da97bd6-6370-47fa-83bd-3cb8e0836c21" name="/proc/76973/task/143582/comm" pid=76973 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110
Aug 14 04:17:06 iaos1 kernel: [410279.532212] audit: type=1400 audit(1471166226.519:73589): apparmor="DENIED" operation="open" profile="libvirt-66e1f4d0-ca76-4d4f-93ad-44c03cafb1c7" name="/proc/77477/task/143583/comm" pid=77477 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110
Aug 14 04:17:19 iaos1 kernel: [410292.483319] audit: type=1400 audit(1471166239.467:73590): apparmor="DENIED" operation="open" profile="libvirt-66e1f4d0-ca76-4d4f-93ad-44c03cafb1c7" name="/proc/77477/task/143584/comm" pid=77477 comm="qemu-system-ppc" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=110

from ur.sbin.libvirtd -

# force the use of virt-aa-helper
  audit deny /sbin/apparmor_parser rwxl,
  audit deny /etc/apparmor.d/libvirt/** wxl,
  audit deny /sys/kernel/security/apparmor/features rwxl,
  audit deny /sys/kernel/security/apparmor/matching rwxl,
  audit deny /sys/kernel/security/apparmor/.* rwxl,
  /sys/kernel/security/apparmor/profiles r,
  /usr/lib/libvirt/* PUxr,
  /etc/libvirt/hooks/** rmix,
  /etc/xen/scripts/** rmix,

Its seems like libvirt's apparmor policy needs to be updated in Ubuntu 16.10

bugproxy (bugproxy) on 2016-08-22
tags: added: architecture-ppc64le bugnameltc-144906 severity-high targetmilestone-inin1610
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → libvirt (Ubuntu)

------- Comment From <email address hidden> 2016-09-12 12:05 EDT-------
== Comment: #1 - Application Cdeadmin <email address hidden> - 2016-08-12 14:40:44 ====== State: Assigned by: cde00 on 12 September 2016 11:04:44 ====

Confirmed by SMB

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libvirt (Ubuntu):
status: New → Confirmed
Changed in libvirt (Ubuntu):
importance: Undecided → Medium

Checking the code I'd expect that this kind of access is from:

static void qemu_thread_set_name(QemuThread *thread, const char *name)
{
#ifdef CONFIG_PTHREAD_SETNAME_NP
    pthread_setname_np(thread->thread, name);
#endif
}

This is non fatal, just fails to set the thread name (note that the return value is intentionally ignored).

The code itself if rather old (since qemu 2.0) but not enabled by default.
You could be enabled by:
  -name debug-threads=on

Since this change it is enabled by default by libvirt if supported:
https://www.redhat.com/archives/libvir-list/2016-March/msg00428.html

So with Yakkety you get e.g.
-name guest=testvm1,debug-threads=on
While on Xenial you got:
-name guest=testvm1

That feature enabled is what triggers the apparmor issues now.

Changed in libvirt (Ubuntu):
status: Confirmed → Triaged
Changed in libvirt (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → ChristianEhrhardt (paelzer)

Hi,
sometimes the verification of this bug seems to elude me.

So I made a test build available for you to test if the package in https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-bug-1546674-1615550/+packages would help you to get rid of the reported issue.

Simon Déziel (sdeziel) wrote :

Hi Christian,

While looking at LP: #1546674 I ran into this bug as well. Your PPA package patches the usr.sbin.libvirtd profile but I think the right place to add the rule is in the abstraction/libvirt-qemu profile extract.

I added a similar but slightly more restrictive rule in the attached patch. With that patch in, I no longer get AA denials for /proc/$pid/task/*/comm.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-10-26 16:57 EDT-------
cde00 (<email address hidden>) added native attachment /tmp/AIXOS06098138/aa-libvirt-qemu.patch on 2016-10-26 15:57:26

The attachment "aa-libvirt-qemu.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch

Hi Simon,
as stated in the other bug I can only agree!

Thanks - I made a new version ready to test for Yakkety available in the ppa.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-11-02 10:40 EDT-------
==== State: Assigned by: mgrosch on 02 November 2016 09:33:55 ====

#=#=# 2016-11-02 09:33:53 (CDT) #=#=#
New Fix_Potential = [GSI_HDW]

not a super high priority for 11/18 GA - we should try out the latest change though
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

Changed in libvirt (Ubuntu):
status: Triaged → In Progress

FYI - Fix pushed to Zesty

Since it is non fatal I did not consider an SRU so far.

What worked last week doesn't have to this week - I ran into an FTBFS - please wait a bit until resolved.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-11-18 10:59 EDT-------

Default Comment by Bridge

Default Comment by Bridge

Default Comment by Bridge

FYI - this is still waiting to migrate, so while the fix is committed you can not get it via an apt-get update, so it is expected to still fail atm.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 2.1.0-1ubuntu13

---------------
libvirt (2.1.0-1ubuntu13) zesty; urgency=medium

  * drop d/p/ubuntu/fix-ftbfs-for-gnutls-3-5-6.patch as the offending change
    in gnutls has been reverted (LP: #1641615)
  * Build depend on gnutls >= 3.5.6-4ubuntu2 to build after the gnutls fix
    migrated

 -- Christian Ehrhardt <email address hidden> Thu, 17 Nov 2016 08:43:10 +0100

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released

Since the issue is non-fatal and not a super-high-prio-feature to be needed I refuse to do an SRU of this into Yakkety without anybody explicitly requesting that.
Pre-Yakkety the issue was not existing (came in upstream in 2.x)
I add a task for Yakkety and flag it so that this state is clear.

Changed in libvirt (Ubuntu Yakkety):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers