[Kernel-packages] [Bug 1788603] Re: libvirt fails with failure to open mount namespace

Thu, 23 Aug 2018 11:01:06 -0700 

So, investigated this into an apparmor difference between 4.17 and 4.18.
This is due to commit 338d0be437ef10e247a35aed83dbab182cf406a2
("apparmor: fix ptrace read check").

libvirtd here is using only trace, and not read. The patch below for
libvirtd apparmor policy fixes it for me.

--- /etc/apparmor.d/usr.sbin.libvirtd   2018-08-23 14:52:04.574252908 -0300
+++ ../usr.sbin.libvirtd        2018-08-23 14:51:46.773728841 -0300
@@ -50,10 +50,10 @@
   # for --p2p migrations
   unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
 
-  ptrace (trace) peer=unconfined,
-  ptrace (trace) peer=/usr/sbin/libvirtd,
-  ptrace (trace) peer=/usr/sbin/dnsmasq,
-  ptrace (trace) peer=libvirt-*,
+  ptrace (read,trace) peer=unconfined,
+  ptrace (read,trace) peer=/usr/sbin/libvirtd,
+  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+  ptrace (read,trace) peer=libvirt-*,
 
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,

** Also affects: libvirt (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: libvirt (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Cosmic)
   Importance: High
     Assignee: Thadeu Lima de Souza Cascardo (cascardo)
       Status: In Progress

** Changed in: libvirt (Ubuntu Cosmic)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1788603

Title:
  libvirt fails with failure to open mount namespace

Status in libvirt package in Ubuntu:
  New
Status in linux package in Ubuntu:
  In Progress
Status in libvirt source package in Cosmic:
  New
Status in linux source package in Cosmic:
  In Progress

Bug description:
  $ virsh start cosmic-i386
  error: Failed to start domain cosmic-i386
  error: internal error: child reported: Kernel does not provide mount 
namespace: Permission denied

  
  Happens with 4.18 only, 4.17 is fine.

  27013 openat(AT_FDCWD, "/proc/27012/ns/mnt", O_RDONLY) = -1 EACCES
  (Permission denied)

  Opening a self or parent mount namespace works fine as tested with cat
  /proc/self/ns/mnt and cat /proc/self/$$/mnt. Still investigating.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1788603/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to