AppArmor denies access to /etc/gss/mech.d/

Bug #1696471 reported by Martin Pitt on 2017-06-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

We are adding new functionality/tests to Cockpit to integrate VNC/spice consoles (https://github.com/cockpit-project/cockpit/pull/5932). This triggers a new AppArmor violation:

[ 12.117988] audit: type=1400 audit(1496848789.154:16): apparmor="DENIED" operation="open" profile="libvirt-c99ea6d2-4f29-4cc1-a486-0dc02b85ac16" name="/etc/gss/mech.d/" pid=6507 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

I'm not sure what that is being used for, but I suppose this should either be allowed or explicitly denied to avoid this DENIED alarm bell.

This happens on both 16.04 LTS and 17.04.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libvirt-bin 1.3.1-1ubuntu10.10
ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67
Uname: Linux 4.4.0-79-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
Date: Wed Jun 7 11:25:37 2017
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.libvirt.qemu.networks.default.xml: [modified]
mtime.conffile..etc.libvirt.qemu.networks.default.xml: 2017-06-06T15:17:43.504000

Martin Pitt (pitti) wrote :

Hi Martin,
I'm currently trying to clean up bugs that were missed or got no update.
First I have to beg your pardon for missing it in the first place.

I have run spice sessions without that showing up, so I checked what that actually is about.
In general that directory is to plug configs for the gssapi - see some libvirt ref at [1].

This is enabled since ages, but I haven't heard of any issues. Which either means it works fine or no one is actually using it.
I'd assume your setup has a SASL/GSSAPI configured more than vnc/spice to trigger this.
If you'd have any details on this part of your setup for better reproducibility of the issue, that would be great.
In general sharing a guest xml could help so I can kind of bisect through it if/how to trigger it.

Alternatively it seems only be used when you use the non TLS socket.
Your bug report states only default networks as modified, but maybe this differs from the env this pops up. Could you could check if you have any changes made to either
/etc/sasl2/libvirt.conf or to listen_tls in /etc/libvirt/libvirtd.conf.

[1]: https://libvirt.org/auth.html#ACL_server_kerberos

Changed in libvirt (Ubuntu Xenial):
status: New → Incomplete
Changed in libvirt (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]

Changed in libvirt (Ubuntu):
status: Incomplete → Expired
Launchpad Janitor (janitor) wrote :

[Expired for libvirt (Ubuntu Xenial) because there has been no activity for 60 days.]

Changed in libvirt (Ubuntu Xenial):
status: Incomplete → Expired
Martin Pitt (pitti) wrote :

This still happens all the time, also in 17.10, reopening. I need to find some time to create a reproducer that doesn't involve the Cockpit tests.

Changed in libvirt (Ubuntu):
status: Expired → Incomplete
Changed in libvirt (Ubuntu Xenial):
status: Expired → Confirmed

Yeah, thanks Martin, if that is the case I agree to this plan of action.

As soon as we can explain what triggers it I likely can easily bring something upstream.

If you want to discuss potential experiments/reproducers feel free to catch me on IRC.

Martin Pitt (pitti) wrote :

Sorry for the delay, I finally found some time to get back to this. This is still reproducible on current Ubuntu 17.10:

virsh define m.xml
qemu-img create -f qcow2 /var/lib/libvirt/images/subVmTest1-2.img 128M
virsh start subVmTest1

dmesg shows:

[ 319.220193] audit: type=1400 audit(1520004938.754:40): apparmor="DENIED" operation="open" profile="libvirt-269b6725-e6fb-4242-a83a-3ad286dd5efb" name="/etc/gss/mech.d/" pid=5930 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

m.xml is attached. It's lightly edited to remove some external file and device references, to be more or less self-contained (except for the image created above; but that can be empty - it doesn't matter what's actually running in the VM).

Changed in libvirt (Ubuntu):
status: Incomplete → New
Martin Pitt (pitti) wrote :

Forgot to mention: I didn't change any libvirt config files, in particular not the ones you mentioned:

# dpkg -s libvirt-daemon-system | grep libvirt.conf
 /etc/sasl2/libvirt.conf 09c4fa846e8e27bfa3ab3325900d63ea
# md5sum /etc/sasl2/libvirt.conf
09c4fa846e8e27bfa3ab3325900d63ea /etc/sasl2/libvirt.conf

# dpkg -s libvirt-daemon-system | grep libvirtd.conf
 /etc/libvirt/libvirtd.conf bfacce84359f17a8bb59cb0dfe9b424f
# md5sum /etc/libvirt/libvirtd.conf
bfacce84359f17a8bb59cb0dfe9b424f /etc/libvirt/libvirtd.conf

But note that /etc/sasl2/libvirt.conf has "mech_list: gssapi" enabled by default.

I have seen the same recently, but for without a clear repro I can't upstream.
Also we don't know the impact of that missing yet.

Lets fix it in Bionic as ubuntu custom change for now, and if we find a way to repro-trigger intentionally and understand the impact of the lack I can upstream it.

Rule we need is:
  /etc/gss/mech.d/ r,

To trigger we need "libsasl2-modules-gssapi-mit" installed.
That makes qemu read the dir.

In there one only defines additional plugins to be loaded, and I can understand that this might be needed by sasl.

I think it is safe to allow still and will submit something upstream.

Rule tested, not breaking things - fixing the deny as intended.

tags: added: 4.0.0-1ubuntu5

I pushed the commit upstream after some review, ready to be included in Bionic with the next upload.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 4.0.0-1ubuntu5

---------------
libvirt (4.0.0-1ubuntu5) bionic; urgency=medium

  * run dnsmasq as libvirt-dnsmasq (LP: #1743718)
    - d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
    - d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on
      purge
    - d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user
      libvirt-dnsmasq and adapt the self tests to expect that config
    - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users
  * Backport from recent upstream to stabilize libvirt (LP: #1754352)
    - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch
    - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch
    - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch
    - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch
    - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch
    - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch
    - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch
    - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch
    - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch
  * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI-
    plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471)
  * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch
    ensure symlinks are resolved to get valid rules if interim parts of a path
    are a symlink (LP: #1752361)

 -- Christian Ehrhardt <email address hidden> Tue, 27 Feb 2018 12:04:02 +0100

Changed in libvirt (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers