[libvirt] [PATCH 01/10] virt-aa-helper: Ask for no deny rule for readonly disk elements

Cedric Bosdonnat cbosdonnat at suse.com
Fri May 19 09:45:30 UTC 2017

Hi Christian,

On Fri, 2017-05-19 at 11:18 +0200, Christian Ehrhardt wrote:
> On Fri, May 19, 2017 at 10:03 AM, Guido Günther <agx at sigxcpu.org> wrote:
> > But if we aim for a profile replace on blockcommit [1] the would't matter
> > since the whole profile would get replaced, wouldn't it?
> > 
> Since this is based on [1][2] looping in Cédric here to share some old explaiantions.
> See especially [1] for some reasoning for 'R' in general.
> [1]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=c726af2d5a2248f0dad01201b2fc5231fbd4c20f
> [2]: http://libvirt.org/git/?p=libvirt.git;a=commit;h=cedd2ab28262db62976b351dbf2a0f8d9f88ca9e

Sadly the bug report isn't public since it has been reported again SLES. But here is the
description of the bug that motivated that fix:

------------------ %< ------------------
Steps to reproduce:
  * run virt-sandbox /bin/sh as root

Expected result: Run a shell in a qemu domain, apparmor enforced
Actual result: Domain fails to start

After some more debugging it happens that the problem is caused by 

    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/'/>
      <target dir='host_root'/>

Since commit http://libvirt.org/git/?p=libvirt.git;a=commit;h=d0d4b8ad76d3e8a859ee90701a21a3f003a22c1f, virt-aa-helper
generates a "deny /** w" rule in such cases that takes precedence over the allow rules.

This has several effects:
  * It hides the DENIED/ALLOWED apparmor log entries
  * It prevents qemu to write to the log file, /dev/ptmx and other important files to run the domain.

To see the rules, add the audit flag to /etc/apparmor.d/libvirt/TEMPLATE.qemu file and rerun virt-sandbox.
------------------ %< ------------------

Hi hope this will answer your questions


More information about the libvir-list mailing list