Ubuntu
libvirt package

Apparmor profile denies access to /dev/dm-* for guests using LVM partitions storage

Bug #912007 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

My KVM guests are using LVM partitions as storage devices and this shows in the log every time a VM is booted :

Jan 4 14:04:12 simon-laptop kernel: [17725.344930] type=1400 audit(1325703852.481:914): apparmor="DENIED" operation="open" parent=1684 profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-1" pid=17488 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This denial does not prevent the guest from function properly but it generates some noise in the logs (and logcheck notifications).

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 0.9.2-4ubuntu15.1
  Candidate: 0.9.2-4ubuntu15.1
  Version table:
 *** 0.9.2-4ubuntu15.1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.2-4ubuntu15 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libvirt-bin 0.9.2-4ubuntu15.1
ProcVersionSignature: Ubuntu 3.0.0-15.25-generic 3.0.13
Uname: Linux 3.0.0-15-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Jan 4 15:04:03 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:ubuntu/precise/libvirt
Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

Here is the guest definition using LVM partitions.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for taking the time to report this bug.

It sounds like the apparmor svirt driver should check whether a storage backing file is a symbolic link, and, if so, add the link target to the list of allowed devices?

Changed in libvirt (Ubuntu):
importance: Undecided → Low
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

For the record I've reproduced this.

Interestingly, /dev/dm-2 *is* in the allowed list. Following is the syslog entry:

Jan 5 10:07:11 sergelap kernel: [ 5768.408495] type=1400 audit(1325779631.010:95): apparmor="DENIED" operation="open" parent=1606 profile="/usr/lib/libvirt/virt-aa-helper" name="/dev/dm-2" pid=13978 comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 5 10:07:11 sergelap kernel: [ 5768.682389] type=1400 audit(1325779631.286:96): apparmor="STATUS" operation="profile_load" name="libvirt-defba839-e7fc-1290-17b4-d0e8c1e68296" pid=13985 comm="apparmor_parser"

So it is virt-aa-helper's profile which needs to be updated, not that of the VMs. In particular:

/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

Changed in libvirt (Ubuntu):
status: New → Triaged
Revision history for this message
Simon Déziel (sdeziel) wrote :

That conclusion is consistent with the behavior observed where the VM itself is able to access the storage partition without problem.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks, Simon.

Per discussion on irc, I'll add a deny rule to usr.lib.libvirt.virt-aa-helper:

deny /dev/md* r,

which will silence the message.

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 912007] Re: Apparmor profile denies access to /dev/dm-* for guests using LVM partitions storage

On 12-01-05 11:58 AM, Serge Hallyn wrote:
> Per discussion on irc, I'll add a deny rule to usr.lib.libvirt.virt-aa-
> helper:
>
> deny /dev/md* r,

I'm assuming you meant:

deny /dev/dm-* r,

> which will silence the message.

Out of curiosity I tried allowing read access for virt-aa-helper to
/dev/dm-* and the resulting guest profile is identical:

"/dev/dm-1" rw,

Your suggestion to silence the message makes sense, thanks for looking
into this.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 0.9.7-2ubuntu10

---------------
libvirt (0.9.7-2ubuntu10) precise; urgency=low

  * debian/control: move (cgroup-lite | cgroup-bin) from Suggests to Depends.
    Libvirt-lxc is broken without it.
  * apparmor/usr.lib.libvirt.virt-aa-helper: add 'deny /dev/dm-*' to silence
    warnings about lvm backing stores (LP: #912007)
  [ Peter Silva ]
  * apparmor/libvirt-qemu: add rules to enable spice audio
    (LP: #913023)
 -- Serge Hallyn <email address hidden> Mon, 09 Jan 2012 10:15:57 +0100

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.