NWFilter support broken due to Apparmour restrictions

Bug #646706 reported by Soren Hansen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned

Bug Description

Somewhere in the code path to instantiate nwfilters, libvirt fetches the relevant network interface's index. This is done through a ioctl on a a socket fd. This socket fd is created with socket(PF_SOCKET, SOCK_DGRAM, 0). Apparmour blocks this socket() call. According to netdevice(7):

   Linux supports some standard ioctls to configure network devices.
   They can be used on any socket's file descriptor regardless of the family or type.

Changing PF_SOCKET to PF_INET works as expected. However, given how close we are to release, I'm not super comfortable making this change, so I'm proposing we add "network socket dgram" to /etc/apparmor.d/usr.sbin.libvirtd instead and revisit this for natty.

Comments?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm not opposed to changing /etc/apparmor.d/usr.sbin.libvirtd at all since that profile is intended to be very lenient and is there primarily so we can aa_change_profile() and deny a couple of things. However, 'network socket dgram,' is not valid apparmor syntax (see 'man apparmor.d' for details).

Revision history for this message
Soren Hansen (soren) wrote : Re: [Bug 646706] Re: NWFilter support broken due to Apparmour restrictions

On 24-09-2010 13:37, Jamie Strandboge wrote:
> I'm not opposed to changing /etc/apparmor.d/usr.sbin.libvirtd at all
> since that profile is intended to be very lenient and is there primarily
> so we can aa_change_profile() and deny a couple of things. However,
> 'network socket dgram,' is not valid apparmor syntax (see 'man
> apparmor.d' for details).
>

Err, I meant "network packet dgram", of course. My bad.

--
Soren Hansen
Ubuntu Developer http://www.ubuntu.com/
OpenStack Developer http://www.openstack.org/

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding this to /etc/apparmor.d/usr.sbin.libvirtd is fine:
  network packet dgram,

libvirtd is not intended to be confined an any way (except it is forced to use virt-aa-helper instead of manipulated AppArmor directly). Adding the above is pure bugfix and does not diminish the intended security stance in any way. Please feel free to commit.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Before you upload, please let the release team know about it.

Chuck Short (zulcss)
tags: added: server-mrs
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I ACK the change to 0.8.3-1ubuntu14 in the unapproved queue.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.8.3-1ubuntu14

---------------
libvirt (0.8.3-1ubuntu14) maverick; urgency=low

  * Let Apparmor allow libvirtd to create PF_PACKET sockets. Several
    utility functions require it. Of particular interest, the NWFilter
    code uses it, so libvirt's firewalling functionality depends on
    this. (LP: #646706)
 -- Soren Hansen <email address hidden> Fri, 24 Sep 2010 23:36:36 +0200

Changed in libvirt (Ubuntu Maverick):
status: New → Fix Released
tags: added: iso-testing
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.