Ubuntu
libvirt package

virt-aa-helper fails when serial or console type is 'tcp'

Bug #460271 reported by Matti Hiljanen
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Karmic
Fix Released
Medium
Jamie Strandboge
Ubuntu karmic-updates
Lucid
Fix Released
Medium
Jamie Strandboge

Bug Description

When serial and console devices are defined as follows:
...
    <serial type='tcp'>
      <source mode='bind' host='127.0.0.1' service='1234'/>
      <protocol type='telnet'/>
      <target port='0'/>
    </serial>
    <console type='tcp'>
      <source mode='bind' host='127.0.0.1' service='1234'/>
      <protocol type='telnet'/>
      <target port='0'/>
    </console>
...
virt-aa-helper will incorrectly add "127.0.0.1" to the included files list, which causes apparmor_parser to fail and that causes the guest to not start unless apparmor is disabled for libvirtd. Simple check if the serial or console type is 'tcp' in virt-aa-helper's get_files() function should fix it.

This broke in 0.7.0-1ubuntu8 (which is when virt-aa-helper was changed to use the XML for the file paths) and is still broken as of 0.7.0-1ubuntu13.

Chuck Short (zulcss)
affects: libvirt (Ubuntu) → apparmor (Ubuntu)
Soren Hansen (soren)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
affects: apparmor (Ubuntu) → libvirt (Ubuntu)
Changed in libvirt (Ubuntu):
milestone: none → karmic-updates
Jamie Strandboge (jdstrand)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

TEST CASE:
$ cat /tmp/460271.xml | sudo virt-aa-helper -u libvirt-a22e3930-d87a-584e-22b2-1d8950212bac -c --dryrunvirt-aa-helper: warning: path does not exist, skipping file type checks
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files
virt-aa-helper:
  "/var/log/libvirt/**/testqemu.log" w,
  "/var/run/libvirt/**/testqemu.monitor" rw,
  "/var/run/libvirt/**/testqemu.pid" rwk,
  "/home/jamie/tmp/test.img" rw,
  "127.0.0.1" w,

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac
virt-aa-helper:
libvirt-a22e3930-d87a-584e-22b2-1d8950212bac
virt-aa-helper:
  #include <libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files>

Notice the "127.0.0.1" w, entry-- it should not be added because it chokes apparmor_parser.

Changed in libvirt (Ubuntu Karmic):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu Karmic):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Impact: tcp serial consoles are broken

Bug is addressed in Lucid by enforcing an absolute path for the filename

Patch is debian/patches/9094-lp453335.patch and is small

See comment #1

The regression potential is considered low. It passes the qa-regression-testing script. AppArmor requires absolute paths in the pathnames anyway, so enforcing them will only make other situations more robust.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.0-1ubuntu14

---------------
libvirt (0.7.0-1ubuntu14) lucid; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:11:05 -0600

Changed in libvirt (Ubuntu Lucid):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu Karmic):
status: In Progress → Fix Committed
Changed in libvirt (Ubuntu Lucid):
milestone: karmic-updates → none
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted libvirt into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Matti Hiljanen (matti-hiljanen) wrote :

I can confirm that the new libvirt packages fix the problem, my guest vm's are again confined by apparmor.

Thanks.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in 0.7.0-1ubuntu13.1.

$ sudo rm -f /etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212ba*
$ cat /tmp/460271.xml | sudo virt-aa-helper -u libvirt-a22e3930-d87a-584e-22b2-1d8950212bac -c --dryrun
virt-aa-helper: warning: 127.0.0.1
virt-aa-helper: warning: skipped non-absolute path
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files
virt-aa-helper:
  "/var/log/libvirt/**/testqemu.log" w,
  "/var/run/libvirt/**/testqemu.monitor" rw,
  "/var/run/libvirt/**/testqemu.pid" rwk,
  "/home/jamie/tmp/test.img" rw,

virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac
virt-aa-helper:
libvirt-a22e3930-d87a-584e-22b2-1d8950212bac
virt-aa-helper:
  #include <libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files>

$ cat /tmp/460271.xml | sudo virt-aa-helper -u libvirt-a22e3930-d87a-584e-22b2-1d8950212bac -r --dryrun
virt-aa-helper: warning: 127.0.0.1
virt-aa-helper: warning: skipped non-absolute path
virt-aa-helper:
/etc/apparmor.d/libvirt/libvirt-a22e3930-d87a-584e-22b2-1d8950212bac.files
virt-aa-helper:
  "/var/log/libvirt/**/testqemu.log" w,
  "/var/run/libvirt/**/testqemu.monitor" rw,
  "/var/run/libvirt/**/testqemu.pid" rwk,
  "/home/jamie/tmp/test.img" rw,

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1

---------------
libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:12:32 -0600

Changed in libvirt (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.