Bug #2024514 “libvirtd: apparmor DENIED for /etc/ssl/openssl.cnf...” : Bugs : libvirt package : Ubuntu

Revision history for this message

Knickers Brown (metta-crawler) wrote on 2023-06-21:

#1

Dependencies.txt Edit (5.2 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (1.6 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.2 KiB, text/plain; charset="utf-8")
RelatedPackageVersions.txt Edit (147 bytes, text/plain; charset="utf-8")

description:

updated

Bug Watch Updater (bug-watch-updater) on 2023-06-21

Changed in libvirt (Debian):
status:	Unknown → New

Revision history for this message

Paride Legovini (paride) wrote on 2023-06-22:

#2

Hello and thanks for running the Ubuntu development release!

I can confirm this happens on my Mantic system, even if the error doesn't seem to have any immediately visible adverse effect. The linked Debian bug also mentions the VM pausing after some time, but I'm not experiencing this behavior, which seems unrelated from the AppArmor issue.

It is likely that the profiles need updating to allow access to openssl.cnf.

tags:	added: server-todo
Changed in libvirt (Ubuntu):
status:	New → Triaged

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-06-22:

#3

Reminder for anyone fixing this, do not try to come up with ssl rules yourself, that would usually be covered by:
#include <abstractions/openssl>

@Acceptable Name
The default behavior of spawning a guest does not trigger this, did you do any config in regard to libvirt or guest config to use some encryption triggering this? Essentially it would help to describe all steps you do from 1. clean system -> x. issue occurs

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-06-22:

#4

Note:
we added it quite a while ago to
src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
that is for the parser when a guest is started. But the reported issue is from the guest itself as libvirt-01941a15-9df3-4e69-bdce-8ea2db714e81 indicates a guest profile.

Revision history for this message

Knickers Brown (metta-crawler) wrote on 2023-06-22:

#5

I think my issue is due to trying to install from a defective (or incompatible) ISO.

I tried installing it from an Arch Linux VM host and it failed the same way.

Revision history for this message

Knickers Brown (metta-crawler) wrote on 2023-06-23:

#6

In case it helps anyone, the ISO is rlxos-desktop-x86_64.iso from https://rlxos.dev/

Revision history for this message

Knickers Brown (metta-crawler) wrote on 2023-06-23:

#7

Download full text (9.0 KiB)

It's always one more thing, sigh. The reason that it got "No bootable device" is that the ISO is UEFI-only. Trying in UEFI mode had other issues.

Jun 23 05:21:05 coyote audit[49463]: AVC apparmor="DENIED" operation="open" class="file" profile="libvirt-b9e76fae-f449-44bc-8958-88843dacf702" name="/etc/ssl/openssl.cnf" pid=49463 comm="qemu-system
-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jun 23 05:21:05 coyote kernel: audit: type=1400 audit(1687512065.224:89): apparmor="DENIED" operation="open" class="file" profile="libvirt-b9e76fae-f449-44bc-8958-88843dacf702" name="/etc/ssl/openssl
.cnf" pid=49463 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jun 23 05:21:07 coyote kernel: nouveau 0000:01:00.0: DRM: Moving pinned object 0000000078c07ada!
Jun 23 05:21:07 coyote kernel: BUG: kernel NULL pointer dereference, address: 000000000000000c
Jun 23 05:21:07 coyote kernel: #PF: supervisor read access in kernel mode
Jun 23 05:21:09 coyote kernel: #PF: error_code(0x0000) - not-present page
Jun 23 05:21:09 coyote kernel: PGD 800000026ad54067 P4D 800000026ad54067 PUD 26ad53067 PMD 0
Jun 23 05:21:10 coyote kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Jun 23 05:21:10 coyote kernel: CPU: 4 PID: 46364 Comm: virt-manager Tainted: P O 6.3.0-7-generic #7-Ubuntu
Jun 23 05:21:10 coyote kernel: Hardware name: Dell Inc. Precision M4600/08V9YG, BIOS A19 09/14/2018
Jun 23 05:21:10 coyote kernel: RIP: 0010:nouveau_gem_prime_get_sg_table+0x11/0x30 [nouveau]
Jun 23 05:21:10 coyote kernel: Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 87 78 01 00 00 48 8b 7f 08 <8b> 50 0c 48 8b 30 48 89 e5 e8 c1 27 be ff 5d 31 d2 31 f6 31 ff c3
Jun 23 05:21:10 coyote kernel: RSP: 0018:ffffac4a2e4f3810 EFLAGS: 00010282
Jun 23 05:21:10 coyote kernel: RAX: 0000000000000000 RBX: ffff945451bf1240 RCX: 0000000000000000
Jun 23 05:21:10 coyote kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9453dfdef000
Jun 23 05:21:10 coyote kernel: RBP: ffffac4a2e4f3838 R08: 0000000000000a81 R09: 0000000000000000
Jun 23 05:21:10 coyote kernel: R10: ffff945444ad6bd8 R11: 0000000000000000 R12: 0000000000000000
Jun 23 05:21:10 coyote kernel: R13: ffff945451bf1240 R14: 0000000000000a81 R15: ffffac4a2e4f3a10
Jun 23 05:21:10 coyote kernel: FS: 00007f6bf5c32040(0000) GS:ffff945acdb00000(0000) knlGS:0000000000000000
Jun 23 05:21:10 coyote kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 23 05:21:10 coyote kernel: CR2: 000000000000000c CR3: 0000000252f34004 CR4: 00000000000626e0
Jun 23 05:21:10 coyote kernel: Call Trace:
Jun 23 05:21:10 coyote kernel: <TASK>
Jun 23 05:21:10 coyote kernel: ? show_regs+0x6d/0x80
Jun 23 05:21:10 coyote kernel: ? __die+0x24/0x80
Jun 23 05:21:10 coyote kernel: ? page_fault_oops+0x99/0x1b0
Jun 23 05:21:10 coyote kernel: ? kernelmode_fixup_or_oops+0xb2/0x140
Jun 23 05:21:10 coyote kernel: ? __bad_area_nosemaphore+0x1a5/0x2c0
Jun 23 05:21:10 coyote kernel: ? mt_find+0xee/0x250
Jun 23 05:21:10 coyote kernel: ? __bad_area+0x54/0x90
Jun 23 05:21:10 coyote kernel: ? bad_area+0x16/0x30
Jun 23 05:21:10 coyote kernel: ? do_user_addr_fault+0x3db/0x720...

It's always one more thing, sigh. The reason that it got "No bootable device" is that the ISO is UEFI-only. Trying in UEFI mode had other issues.

Jun 23 05:21:05 coyote audit[49463]: AVC apparmor="DENIED" operation="open" class="file" profile="libvirt-b9e76fae-f449-44bc-8958-88843dacf702" name="/etc/ssl/openssl.cnf" pid=49463 comm="qemu-system
-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jun 23 05:21:05 coyote kernel: audit: type=1400 audit(1687512065.224:89): apparmor="DENIED" operation="open" class="file" profile="libvirt-b9e76fae-f449-44bc-8958-88843dacf702" name="/etc/ssl/openssl
.cnf" pid=49463 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Jun 23 05:21:07 coyote kernel: nouveau 0000:01:00.0: DRM: Moving pinned object 0000000078c07ada!
Jun 23 05:21:07 coyote kernel: BUG: kernel NULL pointer dereference, address: 000000000000000c
Jun 23 05:21:07 coyote kernel: #PF: supervisor read access in kernel mode
Jun 23 05:21:09 coyote kernel: #PF: error_code(0x0000) - not-present page
Jun 23 05:21:09 coyote kernel: PGD 800000026ad54067 P4D 800000026ad54067 PUD 26ad53067 PMD 0 
Jun 23 05:21:10 coyote kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Jun 23 05:21:10 coyote kernel: CPU: 4 PID: 46364 Comm: virt-manager Tainted: P           O       6.3.0-7-generic #7-Ubuntu
Jun 23 05:21:10 coyote kernel: Hardware name: Dell Inc. Precision M4600/08V9YG, BIOS A19 09/14/2018
Jun 23 05:21:10 coyote kernel: RIP: 0010:nouveau_gem_prime_get_sg_table+0x11/0x30 [nouveau]
Jun 23 05:21:10 coyote kernel: Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 87 78 01 00 00 48 8b 7f 08 <8b> 50 0c 48 8b 30 48 89 e5 e8 c1 27 be ff 5d 31 d2 31 f6 31 ff c3
Jun 23 05:21:10 coyote kernel: RSP: 0018:ffffac4a2e4f3810 EFLAGS: 00010282
Jun 23 05:21:10 coyote kernel: RAX: 0000000000000000 RBX: ffff945451bf1240 RCX: 0000000000000000
Jun 23 05:21:10 coyote kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9453dfdef000
Jun 23 05:21:10 coyote kernel: RBP: ffffac4a2e4f3838 R08: 0000000000000a81 R09: 0000000000000000
Jun 23 05:21:10 coyote kernel: R10: ffff945444ad6bd8 R11: 0000000000000000 R12: 0000000000000000
Jun 23 05:21:10 coyote kernel: R13: ffff945451bf1240 R14: 0000000000000a81 R15: ffffac4a2e4f3a10
Jun 23 05:21:10 coyote kernel: FS:  00007f6bf5c32040(0000) GS:ffff945acdb00000(0000) knlGS:0000000000000000
Jun 23 05:21:10 coyote kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 23 05:21:10 coyote kernel: CR2: 000000000000000c CR3: 0000000252f34004 CR4: 00000000000626e0
Jun 23 05:21:10 coyote kernel: Call Trace:
Jun 23 05:21:10 coyote kernel:  <TASK>
Jun 23 05:21:10 coyote kernel:  ? show_regs+0x6d/0x80
Jun 23 05:21:10 coyote kernel:  ? __die+0x24/0x80
Jun 23 05:21:10 coyote kernel:  ? page_fault_oops+0x99/0x1b0
Jun 23 05:21:10 coyote kernel:  ? kernelmode_fixup_or_oops+0xb2/0x140
Jun 23 05:21:10 coyote kernel:  ? __bad_area_nosemaphore+0x1a5/0x2c0
Jun 23 05:21:10 coyote kernel:  ? mt_find+0xee/0x250
Jun 23 05:21:10 coyote kernel:  ? __bad_area+0x54/0x90
Jun 23 05:21:10 coyote kernel:  ? bad_area+0x16/0x30
Jun 23 05:21:10 coyote kernel:  ? do_user_addr_fault+0x3db/0x720
Jun 23 05:21:10 coyote kernel:  ? exc_page_fault+0x80/0x1b0
Jun 23 05:21:10 coyote kernel:  ? asm_exc_page_fault+0x27/0x30
Jun 23 05:21:10 coyote kernel:  ? nouveau_gem_prime_get_sg_table+0x11/0x30 [nouveau]
Jun 23 05:21:10 coyote kernel:  ? drm_gem_map_dma_buf+0x3d/0xd0 [drm]
Jun 23 05:21:10 coyote kernel:  __map_dma_buf+0x26/0xa0
Jun 23 05:21:10 coyote kernel:  dma_buf_map_attachment+0x84/0xc0
Jun 23 05:21:10 coyote kernel:  i915_gem_object_get_pages_dmabuf+0x23/0x80 [i915]
Jun 23 05:21:10 coyote kernel:  ____i915_gem_object_get_pages+0x26/0x70 [i915]
Jun 23 05:21:10 coyote kernel:  __i915_gem_object_get_pages+0x3e/0x50 [i915]
Jun 23 05:21:10 coyote kernel:  i915_vma_get_pages+0xb6/0x150 [i915]
Jun 23 05:21:10 coyote kernel:  i915_vma_pin_ww+0xbd/0x5b0 [i915]
Jun 23 05:21:10 coyote kernel:  ? dma_resv_list_alloc+0x29/0x50
Jun 23 05:21:10 coyote kernel:  eb_validate_vmas+0x1ac/0x430 [i915]
Jun 23 05:21:10 coyote kernel:  i915_gem_do_execbuffer+0x4e9/0x12d0 [i915]
Jun 23 05:21:10 coyote kernel:  ? native_flush_tlb_local+0x34/0x50
Jun 23 05:21:10 coyote kernel:  i915_gem_execbuffer2_ioctl+0x128/0x2b0 [i915]
Jun 23 05:21:10 coyote kernel:  ? __pfx_i915_gem_execbuffer2_ioctl+0x10/0x10 [i915]
Jun 23 05:21:10 coyote kernel:  drm_ioctl_kernel+0xd6/0x180 [drm]
Jun 23 05:21:10 coyote kernel:  drm_ioctl+0x2d0/0x550 [drm]
Jun 23 05:21:10 coyote kernel:  ? __pfx_i915_gem_execbuffer2_ioctl+0x10/0x10 [i915]
Jun 23 05:21:10 coyote kernel:  __x64_sys_ioctl+0xa0/0xe0
Jun 23 05:21:10 coyote kernel:  do_syscall_64+0x5b/0x90
Jun 23 05:21:10 coyote kernel:  ? syscall_exit_to_user_mode+0x29/0x50
Jun 23 05:21:10 coyote kernel:  ? do_syscall_64+0x67/0x90
Jun 23 05:21:10 coyote kernel:  ? do_syscall_64+0x67/0x90
Jun 23 05:21:10 coyote kernel:  entry_SYSCALL_64_after_hwframe+0x72/0xdc
Jun 23 05:21:10 coyote kernel: RIP: 0033:0x7f6bf5d449ef
Jun 23 05:21:10 coyote kernel: Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
Jun 23 05:21:10 coyote kernel: RSP: 002b:00007ffdb7e28620 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
Jun 23 05:21:10 coyote kernel: RAX: ffffffffffffffda RBX: 000000000561af00 RCX: 00007f6bf5d449ef
Jun 23 05:21:10 coyote kernel: RDX: 00007ffdb7e286a0 RSI: 0000000040406469 RDI: 0000000000000022
Jun 23 05:21:10 coyote kernel: RBP: 00007ffdb7e28760 R08: 0000000004f95700 R09: 00007f6bf5e29c80
Jun 23 05:21:10 coyote kernel: R10: 0000000000000007 R11: 0000000000000246 R12: 00007ffdb7e286a0
Jun 23 05:21:10 coyote kernel: R13: 0000000005514a00 R14: 0000000000000000 R15: 0000000000000022
Jun 23 05:21:10 coyote kernel:  </TASK>
Jun 23 05:21:10 coyote kernel: Modules linked in: vhost_net vhost vhost_iotlb tap snd_seq_dummy snd_hrtimer xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc cfg80211 binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_idt snd_hda_codec_generic intel_rapl_msr snd_hda_intel snd_intel_dspcfg intel_rapl_common snd_intel_sdw_acpi dell_rbtn x86_pkg_temp_thermal snd_hda_codec dell_laptop mei_hdcp intel_powerclamp mei_pxp snd_hda_core snd_hwdep coretemp dell_wmi snd_pcm snd_seq_midi kvm_intel snd_seq_midi_event dell_smm_hwmon dell_smbios snd_rawmidi kvm snd_seq irqbypass ledtrig_audio sparse_keymap dcdbas snd_seq_device rapl snd_timer wmi_bmof dell_wmi_descriptor intel_cstate at24 snd mei_me soundcore mei dell_smo8800 joydev input_leds mac_hid serio_raw msr parport_pc ppdev lp parport efi_pstore dmi_sysfs ip_tables x_tables autofs4 zfs(PO) spl(O) btrfs blake2b_generic raid10 raid456 async_raid6_recov
Jun 23 05:21:10 coyote kernel:  async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear i915 nouveau drm_buddy mxm_wmi drm_ttm_helper i2c_algo_bit ttm drm_display_helper cec rc_core drm_kms_helper syscopyarea crct10dif_pclmul crc32_pclmul sysfillrect polyval_clmulni polyval_generic sysimgblt ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd psmouse i2c_i801 ahci sdhci_pci i2c_smbus firewire_ohci lpc_ich libahci drm e1000e cqhci firewire_core xhci_pci sdhci xhci_pci_renesas crc_itu_t video wmi
Jun 23 05:21:10 coyote kernel: CR2: 000000000000000c
Jun 23 05:21:10 coyote kernel: ---[ end trace 0000000000000000 ]---
Jun 23 05:21:10 coyote kernel: RIP: 0010:nouveau_gem_prime_get_sg_table+0x11/0x30 [nouveau]
Jun 23 05:21:10 coyote kernel: Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 87 78 01 00 00 48 8b 7f 08 <8b> 50 0c 48 8b 30 48 89 e5 e8 c1 27 be ff 5d 31 d2 31 f6 31 ff c3
Jun 23 05:21:10 coyote kernel: RSP: 0018:ffffac4a2e4f3810 EFLAGS: 00010282
Jun 23 05:21:10 coyote kernel: RAX: 0000000000000000 RBX: ffff945451bf1240 RCX: 0000000000000000
Jun 23 05:21:10 coyote kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9453dfdef000
Jun 23 05:21:10 coyote kernel: RBP: ffffac4a2e4f3838 R08: 0000000000000a81 R09: 0000000000000000
Jun 23 05:21:10 coyote kernel: R10: ffff945444ad6bd8 R11: 0000000000000000 R12: 0000000000000000
Jun 23 05:21:10 coyote kernel: R13: ffff945451bf1240 R14: 0000000000000a81 R15: ffffac4a2e4f3a10
Jun 23 05:21:10 coyote kernel: FS:  00007f6bf5c32040(0000) GS:ffff945acdb00000(0000) knlGS:0000000000000000
Jun 23 05:21:10 coyote kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 23 05:21:10 coyote kernel: CR2: 000000000000000c CR3: 0000000252f34004 CR4: 00000000000626e0
Jun 23 05:21:15 coyote kernel: ACPI: \_SB_.PCI0.PEG0.VID_: failed to evaluate _DSM
Jun 23 05:21:15 coyote kernel: nouveau 0000:01:00.0: mc: intr0: 00000100
Jun 23 05:21:35 coyote libvirtd[46386]: libvirt version: 9.0.0, package: 9.0.0-2ubuntu2 (Ubuntu)
Jun 23 05:21:35 coyote libvirtd[46386]: hostname: coyote
Jun 23 05:21:35 coyote libvirtd[46386]: internal error: connection closed due to keepalive timeout
Jun 23 05:21:52 coyote PackageKit[40232]: daemon quit

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2023-06-26:

#9

Argh, sorry about the last comment, I hit Submit too soon.

Andreas Hasenack (ahasenack) on 2023-06-28

Changed in libvirt (Ubuntu):
assignee:	nobody → Andreas Hasenack (ahasenack)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2023-07-04:

#10

libvirt in kinetic has the openssl abstraction included in the virt-aa-helper profile, as does lunar. Here I only see the DENIED log for the /etc/gnutls/config file:

[qui jul 13 03:05:45 2023] audit: type=1400 audit(1688507858.447:3964): apparmor="DENIED" operation="open" class="file" profile="virt-aa-helper" name="/etc/gnutls/config" pid=1009657 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I have created /etc/gnutls/config manually to experiment with crypto settings in gnutls: that file is not shipped in ubuntu, that's why we are not seeing it in logs at large. This is worth a bug, but separate from this issue here.

The dynamic profile created by libvirt for the VM indeed does not seem to include the openssl abstraction, but I'm not getting the DENIED log entry for the openssl config file either. Something must be different in the VM configuration that @metta-crawler is using.

@metta-crawler, once you have a VM up that is triggering this apparmor DENIED error for the openssl config file, could you please dump it to xml and attach that to this bug?

The command would be this:

virsh dumpxml <vmname> > vm.xml

I don't *think* anything private will be in that file, but please check before attaching.

Changed in libvirt (Ubuntu):
status:	Triaged → Incomplete

Christian Ehrhardt  (paelzer) on 2023-07-12

tags:

removed: server-todo

Affects		Status	Importance	Assigned to	Milestone
	libvirt (Debian)	New	Unknown	debbugs #1030684
	libvirt (Ubuntu)	Incomplete	Undecided	Andreas Hasenack

Ubuntu
libvirt package

libvirtd: apparmor DENIED for /etc/ssl/openssl.cnf

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntulibvirt package

libvirtd: apparmor DENIED for /etc/ssl/openssl.cnf

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
libvirt package