apparmor violation for /sys/bus/usb/devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Jammy |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Kinetic |
Fix Released
|
Undecided
|
Christian Ehrhardt |
Bug Description
[ Impact ]
* Never code makes qemu+libs access a directory that only
contains symlinks. Usually apparmor ignores that as the
target of the link matters. But the new code fetches
attributes of the links and then the link path (not
the target) matters.
Due to that users see apparmor denials and might even
have issues using their USB to guest forwarding
* The access to those links is considered safe and a rule
to allow that was brought upstream. These SRU uploads
will fix the same in Ubuntu back to Jammy and later
[ Test Plan ]
* Set up a VM on a Host
* Define a USB hostdev as shown below (or click one
together in virt manager if you prefer that)
* Attach that device to the guest (also shown below
in the initial report)
* Check if the attach worked and if no apparmor
denials were reported
[ Where problems could occur ]
* This is opening up isolation (just a little bit) which
is usually the safe direction and (so far) has not
triggered regressions in the past.
I can only think of people that might have done complex
workarounds for the issue that - now that it works as
intended - might see a change in behavior. But that is
very unlikely, just mention it here as I consider it
the most likely (albeit very unlikely) regression.
[ Other Info ]
* n/a
----
Start a VM and attach an usb host device:
virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml
Contents of the file:
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x1d6b'/>
<product id='0x0001'/>
</source>
</hostdev>
audit: type=1400 audit(166610071
I've extended the apparmor profile (/etc/apparmor.
/sys/
/sys/
/sys/
Related branches
- git-ubuntu bot: Approve
- Lena Voytek (community): Approve
- Canonical Server Reporter: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 147 lines (+119/-0)4 files modifieddebian/changelog (+10/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
- git-ubuntu bot: Approve
- Lena Voytek (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 218 lines (+177/-0)5 files modifieddebian/changelog (+15/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch (+52/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 218 lines (+177/-0)5 files modifieddebian/changelog (+15/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch (+52/-0)
description: | updated |
Changed in libvirt (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in libvirt (Ubuntu Jammy): | |
status: | Triaged → In Progress |
Changed in libvirt (Ubuntu Kinetic): | |
status: | Triaged → In Progress |
description: | updated |
I missed adding more violations:
audit: type=1400 audit(166610425 2.556:36) : apparmor="DENIED" operation="getattr" class="file" profile= "libvirt- b3192f38- 8bab-4424- 8c45-1f6e88ddc9 03" name="/ sys/bus/ usb/devices/ usb1" pid=1504 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 2.556:37) : apparmor="DENIED" operation="getattr" class="file" profile= "libvirt- b3192f38- 8bab-4424- 8c45-1f6e88ddc9 03" name="/ sys/bus/ usb/devices/ 1-0:1.0" pid=1504 comm="qemu- system- x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
audit: type=1400 audit(166610425