apparmor: add attach_disconnected

[libvirt] [PATCH] apparmor: add attach_disconnected

Posted by Guido Günther 6 years, 7 months ago

Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
like

    [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0

---
I do wonder why we didn't see this earlier though.

 examples/apparmor/TEMPLATE.lxc  | 2 +-
 examples/apparmor/TEMPLATE.qemu | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/apparmor/TEMPLATE.lxc b/examples/apparmor/TEMPLATE.lxc
index 7b64885a1c..f1005dc575 100644
--- a/examples/apparmor/TEMPLATE.lxc
+++ b/examples/apparmor/TEMPLATE.lxc
@@ -4,7 +4,7 @@
 
 #include <tunables/global>
 
-profile LIBVIRT_TEMPLATE {
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
   #include <abstractions/libvirt-lxc>
 
   # Globally allows everything to run under this profile
diff --git a/examples/apparmor/TEMPLATE.qemu b/examples/apparmor/TEMPLATE.qemu
index 008a221244..a327315d92 100644
--- a/examples/apparmor/TEMPLATE.qemu
+++ b/examples/apparmor/TEMPLATE.qemu
@@ -4,6 +4,6 @@
 
 #include <tunables/global>
 
-profile LIBVIRT_TEMPLATE {
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
   #include <abstractions/libvirt-qemu>
 }
-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: add attach_disconnected

Posted by Jamie Strandboge 6 years, 7 months ago

On Fri, 2017-09-15 at 17:17 +0200, Guido Günther wrote:
> Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
> like
> 
>     [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121):
> apparmor="DENIED" operation="file_perm" info="Failed name lookup -
> disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-
> f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86"
> requested_mask="r" denied_mask="r" fsuid=117 ouid=0
> 
> ---
> I do wonder why we didn't see this earlier though.
> 
>  examples/apparmor/TEMPLATE.lxc  | 2 +-
>  examples/apparmor/TEMPLATE.qemu | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/examples/apparmor/TEMPLATE.lxc b/examples/apparmor/TEMPLATE.lxc
> index 7b64885a1c..f1005dc575 100644
> --- a/examples/apparmor/TEMPLATE.lxc
> +++ b/examples/apparmor/TEMPLATE.lxc
> @@ -4,7 +4,7 @@
>  
>  #include <tunables/global>
>  
> -profile LIBVIRT_TEMPLATE {
> +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
>    #include <abstractions/libvirt-lxc>
>  
>    # Globally allows everything to run under this profile
> diff --git a/examples/apparmor/TEMPLATE.qemu b/examples/apparmor/TEMPLATE.qemu
> index 008a221244..a327315d92 100644
> --- a/examples/apparmor/TEMPLATE.qemu
> +++ b/examples/apparmor/TEMPLATE.qemu
> @@ -4,6 +4,6 @@
>  
>  #include <tunables/global>
>  
> -profile LIBVIRT_TEMPLATE {
> +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
>    #include <abstractions/libvirt-qemu>
>  }

These changes look fine. As to not seeing it before, this is going to depend
somewhat on the kernel version AIUI.

-- 
Jamie Strandboge             | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: add attach_disconnected

Posted by intrigeri 6 years, 7 months ago

Hi,

Jamie Strandboge:
> On Fri, 2017-09-15 at 17:17 +0200, Guido Günther wrote:
>> Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
>> like

I confirm I see the bug on current Debian sid and Guido's patch
fixes it. Please commit :)

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: add attach_disconnected

Posted by Michal Privoznik 6 years, 7 months ago

On 09/15/2017 05:17 PM, Guido Günther wrote:
> Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
> like
> 
>     [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
> 
> ---
> I do wonder why we didn't see this earlier though.
> 
>  examples/apparmor/TEMPLATE.lxc  | 2 +-
>  examples/apparmor/TEMPLATE.qemu | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

+1/ACK/or whatever.

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: add attach_disconnected

Posted by Guido Günther 6 years, 7 months ago

Hi,
On Mon, Sep 18, 2017 at 02:05:30PM +0200, Michal Privoznik wrote:
> On 09/15/2017 05:17 PM, Guido Günther wrote:
> > Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd
> > like
> > 
> >     [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0
> > 
> > ---
> > I do wonder why we didn't see this earlier though.
> > 
> >  examples/apparmor/TEMPLATE.lxc  | 2 +-
> >  examples/apparmor/TEMPLATE.qemu | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> +1/ACK/or whatever.

Pushed. Thanks.
 -- Guido

> 
> Michal
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list