Ubuntu
libvirt package

apparmor security driver broken in 0.9.2

Bug #801569 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Critical
Jamie Strandboge
Ubuntu oneiric-alpha-2
Oneiric
Fix Released
Critical
Jamie Strandboge
Ubuntu oneiric-alpha-2

Bug Description

 Commit 12317957ecd6c37a2fb16275dcdeeacfe25c517 introduced an incompatible architectural change for the AppArmor security driver. Specifically, virSecurityManagerSetAllLabel() is now called much later in src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was called immediately after GenLabel() such that after the dynamic label (profile name) was generated, SetAllLabel() would be called to create and load the AppArmor profile into the kernel before qemuProcessHook() was executed. With 12317957ecd6c37a2fb16275dcdeeacfe25c517, qemuProcessHook() is now called before SetAllLabel(), such that aa_change_profile() ends up being called before the AppArmor profile is loaded into the kernel (via ProcessLabel() in qemuProcessHook()).

While 0.9.2 is not in Ubuntu yet, this functionality must be fixed if we are to have new libvirt releases in Ubuntu.

Tags: server-ors

CVE References

Jamie Strandboge (jdstrand)
Changed in libvirt (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
milestone: none → oneiric-alpha-2
status: New → In Progress
Dave Walker (davewalker)
tags: added: server-ors
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package libvirt - 0.9.2-4ubuntu1

---------------
libvirt (0.9.2-4ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/control:
      * set X-Python-Version to 2.7, as 2.6 is not in oneiric.
      * set ubuntu maintainer
      * Build-Depends:
        - remove [linux-any] from all dependencies
        - remove [!linux-any] deps
        - swap qemu to qemu-kvm and open-iscsi to
          open-iscsi-utils in Build-Depends
        - remove virtualbox-ose Build-Depends
        - add parted and libapparmor-dev Build-Depends
      * convert Vcs-Git to Xs-Debian-Vcs-Git
      * libvirt-bin Depends: move netcat-openbsd, bridge-utils, dnsmasq-base
        (>= 2.46-1), and iptables from Recommends to Depends
      * libvirt-bin Recommends: move qemu to Suggests
      * libvirt-bin Suggests: add apparmor
      * libvirt0 Recommands: move lvm2 to Suggests
    - keep debian/libvirt-bin.apport
    - keep debian/libvirt-bin.cron.daily
    - debian/libvirt-bin.dirs:
      * add apparmor, cron.daily, and apport dirs
    - debian/libvirt-bin.examples:
      * add debian/libvirt-suspendonreboot
    - debian/libvirt-bin.install:
      * add /etc/apparmor.d files
      * add apport hook
    - debian/libvirt-bin.manpages:
      * add debian/libvirt-migrate-qemu-disks.1
    - debian/libvirt-bin.postinst:
      * replace libvirt groupname with libvirtd
      * add each admin user to libvirtd group
      * call apparmor_parser on usr.sbin.libvirtd and
        usr.lib.libvirt.virt-aa-helper
      * call 'libvirt-migrate-qemu-disks -a' after
        libvirt-bin has started if migrating from
        older than 0.8.3-1ubuntu1
    - debian/libvirt-bin.postrm:
      * replace libvirt groupname with libvirtd
      * remove usr.sbin.libvirtd and
        usr.lib.libvirt.virt-aa-helper
    - keep added files under debian/:
      * libvirt-bin.upstart
      * libvirt-migrate-qemu-disks
      * libvirt-migrate-qemu-disks.1
      * libvirt-suspendonreboot
      * apparmor profiles
    - debian/README.Debian:
      * add 'Apparmor Profile' section
      * add 'Disk migration' section
    - debian/rules:
      * move include of debhelper.mk to top of file so DEB_HOST_ARCH_OS
        is defined.
      * don't build with vbox since virtualbox-ose is in universe
        - remove WITH_VBOX, add explicit --without-vbox
      * add --with-apparmor to DEB_CONFIGURE_EXTRA_FLAGS
      * set DEB_DH_INSTALLINIT_ARGS to '--upstart-only'
      * remove unneeded binary-install/libvirt-bin:: and clean::
        sections (they only deal with sysvinit stuff)
      * add build/libvirt-bin:: section to install
        - apparmor files
        - apport hooks
        - libvirt-migrate-qemu-disks
  * debian/patches/series:
    - don't apply Debian-specific Debianize-libvirt-guests.patch (sysvinit only)
    - don't apply Disable qemu-disable-network.diff.patch
  * debian/patches:
    - dropped patches:
      * 9022-allows-lxc-containers-with-lxcguest.patch (applied upstream)
      * 9023-disable-test-poll.patch
      * 9024-ftbfs-with-arm.patch (doesnt really fix arm just yet)
      * 9025-CVE-2011-2178.patch (applied upstream)
    - k...

Read more...

Changed in libvirt (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.