[Touch-packages] [Bug 1525310] Re: virsh with apparmor misconfigures libvirt-UUID files during snapshot

[Anonymous Linux User]

This bug also appears in Ubuntu 15.10

$ apt-cache policy apparmor
apparmor:
  Installed: 2.10-0ubuntu6
  Candidate: 2.10-0ubuntu6
  Version table:
 *** 2.10-0ubuntu6 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy libvirt-bin 
libvirt-bin:
  Installed: 1.2.16-2ubuntu11.15.10.1
  Candidate: 1.2.16-2ubuntu11.15.10.1
  Version table:
 *** 1.2.16-2ubuntu11.15.10.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily-updates/main amd64 
Packages
        100 /var/lib/dpkg/status
     1.2.16-2ubuntu11 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1525310

Title:
  virsh with apparmor misconfigures libvirt-UUID files during snapshot

Status in apparmor package in Ubuntu:
  New

Bug description:
  Reproducible: Yes, every time.

  Background:

  When you create a virtual machine (VM) under KVM/Qemu in Ubuntu,
  apparmor files are created as:

  /etc/apparmor.d/libvirt/libvirt-<UUID>
    and
  /etc/apparmor.d/libvirt/libvirt-<UUID>.files

  And in the file /etc/apparmor.d/libvirt/libvirt-<UUID>.files there is
  the line

    "PATH_to_BLOCK_DEVICE" rw,

  where PATH_to_BLOCK_DEVICE is the full path name of the image. ( E.g. 
something like  /var/lib/libvirtd/images/asdf.qcow2)
  and <UUID> is the UUID of the  VM container.

  The problem:

  When creating a shapshot of a running VM under KVM/Qemu you run the
  command

  $ sudo virsh snapshot-create-as DOMAIN_NAME   DESCRIPTION   --no-
  metadata --disk-only --atomic

  which creates a new file and stops writing to the old VM block device.

  However:  the old PATH_to_BLOCK_DEVICE in  /etc/apparmor.d/libvirt
  /libvirt-UUID.files is deleted and replaced with the new block device
  info BEFORE virsh is done creating the snapshot. So you get the error

  error: internal error: unable to execute QEMU command 'transaction':
  Could not open 'PATH_to_BLOCK_DEVICE': Could not open
  'PATH_to_BLOCK_DEVICE': Permission denied: Permission denied

  and in /var/log/syslog you get the error:

  type=1400 audit(1449752104.054:539): apparmor="DENIED"
  operation="open" profile="libvirt-<UUID>" name="PATH_to_BLOCK_DEVICE"
  pid=8710 comm="qemu-system-x86" requested_mask="r" denied_mask="r"
  fsuid=106 ouid=106

  When you look now at /etc/apparmor.d/libvirt/libvirt-<UUID>.files you
  find that the line that was there

    "PATH_to_BLOCK_DEVICE" rw,

  has been replaced with

    "PATH_to_BLOCK_DEVICE.DESCRIPTION" rw,

  but you need BOTH LINES. in order for the command "virsh  snapshot-
  create-as" to work. (or at least have the old file have  read
  permissions)

  -----

  Workarounds:

  1. Disable apparmor for libvirtd

  or
  2. Change  /etc/apparmor.d/libvirt/libvirt-<UUID> to look like this

  ----------
  #
  # This profile is for the domain whose UUID matches this file.
  #

  #include <tunables/global>

  profile libvirt-UUID {
    #include <abstractions/libvirt-qemu>
    #include <libvirt/libvirt-UUID.files>

    "PATH_to_BLOCK_DEVICE*" rw,
  }
  -----------

  (
    So if the old line was 
       "/var/lib/libvirtd/images/asdf.qcow2" rw, 
    , the line you can add would read something like this

    "/var/lib/libvirtd/images/asdf*" rw,

  )
  --------

  Details on server:

  # lsb_release -rd
  Description:    Ubuntu 14.04.3 LTS
  Release:        14.04

  # apt-cache policy apparmor
  apparmor:
    Installed: 2.8.95~2430-0ubuntu5.3
    Candidate: 2.8.95~2430-0ubuntu5.3
    Version table:
   *** 2.8.95~2430-0ubuntu5.3 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       2.8.95~2430-0ubuntu5.1 0
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
       2.8.95~2430-0ubuntu5 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  # apt-cache policy libvirt-bin
  libvirt-bin:
    Installed: 1.2.2-0ubuntu13.1.14
    Candidate: 1.2.2-0ubuntu13.1.14
    Version table:
   *** 1.2.2-0ubuntu13.1.14 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 
Packages
          100 /var/lib/dpkg/status
       1.2.2-0ubuntu13.1.7 0
          500 http://security.u buntu.com/ubuntu/ trusty-security/main amd64 
Packages
       1.2.2-0ubuntu13 0
          500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  -----

  Apologies if this is the wrong place to submit this bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1525310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp