2016-11-24 10:40:41 |
James Page |
bug |
|
|
added bug |
2016-11-28 10:06:48 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2017-01-13 10:25:37 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Triaged |
|
2017-01-13 10:25:40 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
Medium |
|
2017-01-13 10:25:48 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2017-01-25 21:18:02 |
Jon Grimm |
bug |
|
|
added subscriber Jon Grimm |
2017-02-06 22:07:36 |
Tyler Hicks |
libvirt (Ubuntu): status |
Triaged |
Incomplete |
|
2017-02-06 22:07:58 |
Tyler Hicks |
bug |
|
|
added subscriber Ubuntu Security Team |
2017-02-06 22:26:29 |
Jamie Strandboge |
libvirt (Ubuntu): status |
Incomplete |
Triaged |
|
2017-06-26 19:14:27 |
Christian Ehrhardt |
tags |
|
virt-aa-helper |
|
2017-06-27 18:58:26 |
Corey Bryant |
libvirt (Ubuntu): assignee |
|
Corey Bryant (corey.bryant) |
|
2017-06-27 18:58:42 |
Corey Bryant |
nominated for series |
|
Ubuntu Artful |
|
2017-06-27 18:58:42 |
Corey Bryant |
bug task added |
|
libvirt (Ubuntu Artful) |
|
2017-06-27 18:58:42 |
Corey Bryant |
nominated for series |
|
Ubuntu Zesty |
|
2017-06-27 18:58:42 |
Corey Bryant |
bug task added |
|
libvirt (Ubuntu Zesty) |
|
2017-06-27 18:58:42 |
Corey Bryant |
nominated for series |
|
Ubuntu Xenial |
|
2017-06-27 18:58:42 |
Corey Bryant |
bug task added |
|
libvirt (Ubuntu Xenial) |
|
2017-06-27 18:58:49 |
Corey Bryant |
libvirt (Ubuntu Xenial): status |
New |
Triaged |
|
2017-06-27 18:58:51 |
Corey Bryant |
libvirt (Ubuntu Zesty): status |
New |
Triaged |
|
2017-06-27 18:58:53 |
Corey Bryant |
libvirt (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-06-27 18:58:56 |
Corey Bryant |
libvirt (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-06-27 18:58:59 |
Corey Bryant |
libvirt (Ubuntu Zesty): assignee |
|
Corey Bryant (corey.bryant) |
|
2017-06-27 18:59:01 |
Corey Bryant |
libvirt (Ubuntu Xenial): assignee |
|
Corey Bryant (corey.bryant) |
|
2017-06-27 19:00:14 |
Corey Bryant |
libvirt (Ubuntu Artful): status |
Triaged |
Fix Released |
|
2017-06-27 19:00:28 |
Corey Bryant |
summary |
virt-aa-helper denied access to qcow2 backing file running nova in a snap |
[SRU] virt-aa-helper denied access to qcow2 backing file running nova in a snap |
|
2017-06-27 19:03:34 |
Corey Bryant |
description |
The apparmor profile for virt-aa-helper allows access to qcow2 backing images in some well know locations for OpenStack Nova:
/var/lib/nova/images/** r,
/var/lib/nova/instances/_base/** r,
/var/lib/nova/instances/snapshots/** r,
which is great when openstack is installed using deb's from the archive; I'm working on a snap for a Nova hypervisor, and the base images are stored in:
/var/snap/nova-hypervisor/common/instances/_base
so instances fail to boot as the generated profile for the instance does not contain access to the backing file as virt-aa-helper is DENIED access to it:
[ 5144.554120] audit: type=1400 audit(1479983132.426:49771): apparmor="DENIED" operation="open" profile="libvirt-d140e3d0-071d-453f-99f2-a777fd1a1c3d" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=663 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=115 ouid=115
switched virt-aa-helper into complain mode:
[ 5531.325617] audit: type=1400 audit(1479983519.193:49776): apparmor="ALLOWED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=5509 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=115
and the instance booted successfully.
The actual disk for the instance is covered by:
/**/disk{,.*} r,
unfortunately the base image does not have a nice general-izable path in the same way.
We could do:
/var/**/images/** r,
/var/**/_base/** r,
/var/**/snapshots/** r,
which would capture other locations for the openstack instances path in the event that its not the default path for nova. |
[Impact]
The apparmor profile for virt-aa-helper allows access to qcow2 backing images in some well know locations for OpenStack Nova:
/var/lib/nova/images/** r,
/var/lib/nova/instances/_base/** r,
/var/lib/nova/instances/snapshots/** r,
which is great when openstack is installed using deb's from the archive; I'm working on a snap for a Nova hypervisor, and the base images are stored in:
/var/snap/nova-hypervisor/common/instances/_base
so instances fail to boot as the generated profile for the instance does not contain access to the backing file as virt-aa-helper is DENIED access to it:
[ 5144.554120] audit: type=1400 audit(1479983132.426:49771): apparmor="DENIED" operation="open" profile="libvirt-d140e3d0-071d-453f-99f2-a777fd1a1c3d" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=663 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=115 ouid=115
switched virt-aa-helper into complain mode:
[ 5531.325617] audit: type=1400 audit(1479983519.193:49776): apparmor="ALLOWED" operation="open" profile="/usr/lib/libvirt/virt-aa-helper" name="/var/snap/nova-hypervisor/common/instances/_base/a9dd2a42f4d46f9d8a628643d9aede38924668e6" pid=5509 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=115
and the instance booted successfully.
The actual disk for the instance is covered by:
/**/disk{,.*} r,
unfortunately the base image does not have a nice general-izable path in the same way.
We could do:
/var/**/images/** r,
/var/**/_base/** r,
/var/**/snapshots/** r,
which would capture other locations for the openstack instances path in the event that its not the default path for nova.
[Testcase]
Run snap-test from the following to deploy openstack from snaps:
github.com/openstack-snaps/snap-test
[Regression Potential]
Minimal regression potential, as this augments the existing virt-aa-helper to allow a new path to be accessed. |
|
2017-07-13 06:13:47 |
Andy Whitcroft |
libvirt (Ubuntu Zesty): status |
Triaged |
Fix Committed |
|
2017-07-13 06:13:49 |
Andy Whitcroft |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-07-13 06:13:52 |
Andy Whitcroft |
bug |
|
|
added subscriber SRU Verification |
2017-07-13 06:13:57 |
Andy Whitcroft |
tags |
virt-aa-helper |
verification-needed verification-needed-zesty virt-aa-helper |
|
2017-07-13 06:14:37 |
Andy Whitcroft |
libvirt (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2017-07-13 06:14:42 |
Andy Whitcroft |
tags |
verification-needed verification-needed-zesty virt-aa-helper |
verification-needed verification-needed-xenial verification-needed-zesty virt-aa-helper |
|
2017-07-13 20:25:49 |
Corey Bryant |
tags |
verification-needed verification-needed-xenial verification-needed-zesty virt-aa-helper |
verification-done verification-done-xenial verification-done-zesty virt-aa-helper |
|
2017-07-26 12:59:38 |
Launchpad Janitor |
libvirt (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-07-26 12:59:43 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-26 13:00:06 |
Launchpad Janitor |
libvirt (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|