apparmor disallows qemu+tcp:// connections

Bug #462000 reported by Jamie Strandboge
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Low
Jamie Strandboge
Karmic
Low
Jamie Strandboge
Lucid
Low
Jamie Strandboge

Bug Description

TEST CASE;
1. adjust /etc/libvirt/libvirtd.conf to have:
listen_tls = 0
listen_tcp = 1

2. Restart libvirt in listen mode:
$ sudo /etc/init.d/libvirt-bin stop
$ sudo libvirtd -d --listen

3. see if it worked:
$ virsh -c qemu+tcp://127.0.0.1/system capabilities
Please enter your authentication name:

If you are prompted for authentication in step #3, then everything is fine (can't authenticate because we haven't setup sasl).

Currently get the following output from libvirtd in step #2:
14:48:14.916: warning : qemudStartup:521 : Unable to create cgroup for driver: No such device or address
14:48:15.005: warning : lxcStartup:1460 : Unable to create cgroup for driver: No such device or address
14:48:15.017: error : remoteMakeSockets:584 : socket: Permission denied

And in dmesg:
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438021] type=1503 audit(1256654895.009:40): operation="socket_create" pid=15842 parent=11268 profile="/usr/sbin/libvirtd" family="inet6" sock_type="dgram" protocol=0
Oct 27 14:48:15 sec-karmic-amd64 kernel: [60424.438093] type=1503 audit(1256654895.009:41): operation="socket_create" pid=15842 parent=11268 profile="/usr/sbin/libvirtd" family="inet6" sock_type="stream" protocol=6

Need to add the following to the profile:
  network inet6 stream,
  network inet6 dgram,

description: updated
tags: added: apparmor
Changed in libvirt (Ubuntu Karmic):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
milestone: none → karmic-updates
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

SRU

Impact: qemu+tcp:// connections no longer work

Bug is addressed in Lucid by adding 'inet dgram6' and 'inet6 stream' to the usr.sbin.libvirtd profile

See description

The regression potential is considered extremely low. It only allows additional access the the profile previously denied.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.0-1ubuntu14

---------------
libvirt (0.7.0-1ubuntu14) lucid; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:11:05 -0600

Changed in libvirt (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in libvirt (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in libvirt (Ubuntu Lucid):
milestone: karmic-updates → none
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted libvirt into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This now works in 0.7.0-1ubuntu13.1.

description: updated
Revision history for this message
Bryan McLellan (btm) wrote :

I had to run '/etc/init.d/apparmor reload' after upgrading to the packages in -proposed before libvirt would properly start.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Bryan, your issue is due to bug #466315, which will be fixed in a future update.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1

---------------
libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:12:32 -0600

Changed in libvirt (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers