qemu-system-x86_64 read acces DENIED in apparmor

Bug #1610368 reported by P
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
New
Undecided
Unassigned

Bug Description

When starting a win8.1 VM in virt-manager I see theses errors in dmesg

[ 185.210435] audit: type=1400 audit(1470419576.704:27): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" pid=4885 comm="apparmor_parser"
[ 185.220800] audit: type=1400 audit(1470419576.716:28): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4//qemu_bridge_helper" pid=4885 comm="apparmor_parser"
[ 185.356159] audit: type=1400 audit(1470419576.848:29): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:1" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
[ 185.356244] audit: type=1400 audit(1470419576.848:30): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:129" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
[ 185.356317] audit: type=1400 audit(1470419576.848:31): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:130" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
[ 185.356396] audit: type=1400 audit(1470419576.848:32): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:131" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
[ 185.356486] audit: type=1400 audit(1470419576.852:33): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:257" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
[ 185.356545] audit: type=1400 audit(1470419576.852:34): apparmor="DENIED" operation="open" profile="libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4" name="/run/udev/data/c189:0" pid=4912 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

the process 4912 is :

libvirt+ 4912 1 36 19:52 ? 00:00:51 qemu-system-x86_64 -enable-kvm -name win8.1 -S -machine pc-i440fx-2.5,accel=kvm,usb=off -cpu Broadwell-noTSX,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -m 4096 -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid d694857f-577a-45d4-81d2-4f3672ae7bd4 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-win8.1/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device nec-usb-xhci,id=usb,bus=pci.0,addr=0x5 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive file=/TEMPO/VMS/win81.qcow2,format=qcow2,if=none,id=drive-ide0-0-0 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=26,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:9d:db:21,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -k fr -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device usb-host,hostbus=2,hostaddr=10,id=hostdev0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on

I have no visible problems with the VM but just wanted to signal this to developpers in case this is not normal behaviour.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: qemu-system-x86 1:2.5+dfsg-5ubuntu10.3
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: KDE
Date: Fri Aug 5 19:57:37 2016
InstallationDate: Installed on 2016-05-14 (83 days ago)
InstallationMedia: Kubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
ProcKernelCmdLine: BOOT_IMAGE=/@/boot/vmlinuz-4.4.0-31-generic root=UUID=54def8c1-2495-44c4-b760-f8dbc15e25b1 ro rootflags=subvol=@ quiet splash vt.handoff=7
SourcePackage: qemu
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/24/2016
dmi.bios.vendor: Intel Corporation
dmi.bios.version: RYBDWi35.86A.0355.2016.0224.1501
dmi.board.name: NUC5i5RYB
dmi.board.vendor: Intel Corporation
dmi.board.version: H40999-504
dmi.chassis.type: 3
dmi.modalias: dmi:bvnIntelCorporation:bvrRYBDWi35.86A.0355.2016.0224.1501:bd02/24/2016:svn:pn:pvr:rvnIntelCorporation:rnNUC5i5RYB:rvrH40999-504:cvn:ct3:cvr:

Revision history for this message
P (p92) wrote :
Revision history for this message
P (p92) wrote :

apparmor profile

$ cat /etc/apparmor.d/libvirt/libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4 {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4.files>

}

Revision history for this message
P (p92) wrote :

$ cat /etc/apparmor.d/libvirt/libvirt-d694857f-577a-45d4-81d2-4f3672ae7bd4.files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/win8.1.log" w,
  "/var/lib/libvirt/qemu/domain-win8.1/monitor.sock" rw,
  "/var/run/libvirt/**/win8.1.pid" rwk,
  "/run/libvirt/**/win8.1.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.win8.1" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.win8.1" rw,
  "/TEMPO/VMS/win81.qcow2" rw,
  # for qemu guest agent channel
  owner "/var/lib/libvirt/qemu/channel/target/domain-win8.1/**" rw,
  "/dev/bus/usb/002/010" rw,
  "/dev/net/tun" rw,

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Looking at the contents of those files, I think giving libvirt vms read access by default to all of them should be safe.

Thomas Huth (th-huth)
no longer affects: qemu
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
getting to my attention now due to the drop of upstream qemu.
This is actually a dup of bug 1552241

TL;DR:
- yes it is an issue
- the /run/udev/data/* blanket is considered "too open"
- a correct fix needs some serious development in virt-aa-helper
- until this is done upstream users who want to opt-in need to opt-in (to get functionality but also unsafety) by making the profile less restrictive in /etc/apparmor.d/abstractions/libvirt-qemu

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.