Apparmor profile does not authorize access to shared filesystems

Bug #943680 reported by Simon Déziel on 2012-02-29
This bug affects 15 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)

Bug Description

Adding a filesystem share to a guest does not translate in the required Apparmor access rules in the guest profile.

After adding the following to the guest definition :

    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/home/simon/9p'/>
      <target dir='/mnt/9p'/>

Accessing the 9p filesystem in the guest gives this error in the host :

Feb 29 18:25:40 simon-laptop kernel: [35709.852192] type=1400 audit(1330557940.265:104): apparmor="DENIED" operation="open" parent=1 profile="libvirt-deab2b00-05e4-9456-3d52-ec3c74f68083" name="/home/simon/9p/" pid=24732 comm="kvm" requested_mask="r" denied_mask="r" fsuid=114 ouid=114

A (not recommended) workaround it to add this to the /etc/apparmor.d/libvirt/libvirt-<UUID> policy :

  "/home/simon/9p/" rwkl,
  "/home/simon/9p/**" rwkl,

Ideally, virt-aa-helper would be aware of those 9p filesystems and should generate the appropriate ruleset.

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy libvirt-bin
  Installed: 0.9.2-4ubuntu15.2
  Candidate: 0.9.2-4ubuntu15.2
  Version table:
 *** 0.9.2-4ubuntu15.2 0
        500 oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.2-4ubuntu15 0
        500 oneiric/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libvirt-bin 0.9.2-4ubuntu15.2
ProcVersionSignature: Ubuntu 3.0.0-16.29-generic 3.0.20
Uname: Linux 3.0.0-16-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Feb 29 18:23:43 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
 PATH=(custom, no user)
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)

Simon Déziel (sdeziel) wrote :
Serge Hallyn (serge-hallyn) wrote :

Hi Jamie,

I only assigned this bug to quickly seek your advice. Does this seem like something which might have an easy solution?

Changed in libvirt (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Not an easy solution no. The security driver needs to have hooks for '9p'. If the qemu driver already has it, then it isn't hard to add it to the apparmor driver. If not, then the qemu driver, the DAC driver, the selinux driver and the apparmor driver all need to be updated (though that is an upstream bug-- they might not fix apparmor, but they would fix all the others (and maybe apparmor)).

Changed in libvirt (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody

Bug still present on 12.10, exactly like described above.

Changed in libvirt (Ubuntu):
importance: Low → Medium
status: Confirmed → Triaged
Robie Basak (racb) on 2013-02-12
summary: - Apparmor profile does not authorize access to 9p shared filesystems
+ Apparmor profile does not authorize access to shared filesystems
billhuey (bill-huey) wrote :

Just adding my view on the matter, this is a somewhat critical bug in that the only manner in which you can shared a file system is with an NFS mount. That puts both memory pressure on the guest and host in that buffers must be replicated across both domains where guests must buffer the file system data as well as the host. Growing the guest will take away memory needed by the host for good file system performance.

This could be a severe performance issue in certain systems and is certainly rather bad for heavier VM workloads

billhuey (bill-huey) wrote :

Last comment for now, this is present on 13.04

Fiona Klute (fiona-klute) wrote :

The bug is still present in 13.10.

Simon Déziel (sdeziel) wrote :

In LP: #1285995, Hiroshi Miura proposed a fix that generates the missing Apparmor rules.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers