** Description changed: + IMPACT: libvir cannot setuid to run VMs as non-root + REGRESSION POTENTIAL: there should be none, we are only allowing libvirt to setuid and setgid, not changing any code + TEST CASE: + I couldn't boot any guest VMs with virsh until I modified /etc/apparmor.d/abstractions/libvirt-qemu: jad@kvmhost:~$ sudo bzr diff /etc/apparmor.d/ === modified file 'apparmor.d/abstractions/libvirt-qemu' --- apparmor.d/abstractions/libvirt-qemu 2010-04-30 15:33:20 +0000 +++ apparmor.d/abstractions/libvirt-qemu 2010-05-12 17:26:56 +0000 @@ -8,6 +8,8 @@ - capability dac_override, - capability dac_read_search, - capability chown, + capability dac_override, + capability dac_read_search, + capability chown, + capability setgid, + capability setuid, - - # this is needed with libcap-ng support, however it breaks a lot of things - # atm, so just silence the denial until libcap-ng works right. LP: #522845 + + # this is needed with libcap-ng support, however it breaks a lot of things + # atm, so just silence the denial until libcap-ng works right. LP: #522845 ... and restarted apparmor and libvirtd. Without `capability setgid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_ AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -u uid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/li b/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive - file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus + file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '109' group: Operation not permitted Without `capability setuid`, the qemu guest log file contained: LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-0.11 -enable-kvm -m 512 -smp 1 -name dm1 -uuid 79d03a71-3be6-19df-1070-791239480888 -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/dm1.monitor,server,nowait -monitor chardev:monitor -boot c -drive file=/var/vm/dm1/disk0.qcow2,if=ide,index=0,boot=on -drive file=/var/vm/dm1/disk1.qcow2,if=ide,index=1 -net nic,macaddr=52:54:00:bf:75:90,vlan=0,model=virtio,name=virtio.0 -net tap,fd=50,vlan=0,name=tap.0 -serial none -parallel none -usb -vnc 127.0.0.1:0 -vga cirrus libvir: QEMU error : cannot change to '104' user: Operation not permitted I don't really know if these changes were the right thing to do, but it did allow me to boot the VMs with virsh. jad@kvmhost:~$ lsb_release -rd Description: Ubuntu 10.04 LTS Release: 10.04 jad@kvmhost:~$ apt-cache policy libvirt-bin kvm qemu-kvm libvirt-bin: - Installed: 0.7.5-5ubuntu27 - Candidate: 0.7.5-5ubuntu27 - Version table: - *** 0.7.5-5ubuntu27 0 - 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages - 100 /var/lib/dpkg/status + Installed: 0.7.5-5ubuntu27 + Candidate: 0.7.5-5ubuntu27 + Version table: + *** 0.7.5-5ubuntu27 0 + 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages + 100 /var/lib/dpkg/status kvm: - Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 - Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 - Version table: - *** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0 - 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages - 100 /var/lib/dpkg/status + Installed: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 + Candidate: 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 + Version table: + *** 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9 0 + 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages + 100 /var/lib/dpkg/status qemu-kvm: - Installed: 0.12.3+noroms-0ubuntu9 - Candidate: 0.12.3+noroms-0ubuntu9 - Version table: - *** 0.12.3+noroms-0ubuntu9 0 - 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages - 100 /var/lib/dpkg/status + Installed: 0.12.3+noroms-0ubuntu9 + Candidate: 0.12.3+noroms-0ubuntu9 + Version table: + *** 0.12.3+noroms-0ubuntu9 0 + 500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages + 100 /var/lib/dpkg/status
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/579584 Title: setgid, setuid needed by /etc/apparmor.d/abstractions/libvirt-qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/579584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
