[Bug 1058847] New: libvirt fails to start guest - error: Kernel does not provide mount namespace: Permission denied
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847 Bug ID: 1058847 Summary: libvirt fails to start guest - error: Kernel does not provide mount namespace: Permission denied Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: neyers@geod.uni-bonn.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I updated my system yesterday evening and this morning and could not start my kvm/qemu virtual machines after. The following error appears in virsh:
virsh # connect qemu:///system
virsh # start opensuse42.3-desktop error: Failed to start domain opensuse42.3-desktop error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
This also happens in: https://bugzilla.opensuse.org/show_bug.cgi?id=1045158 I checked /var/log/audit/audit.log for apparmor issues and found the following entries:
type=AVC msg=audit(1505466698.704:526): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6293 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="/usr/sbin/libvirtd"
After editing /etc/apparmor.d/usr.sbin.libvirtd to include
ptrace trace peer=/usr/sbin/libvirtd,
and restarting apparmor.service and libvirtd.service it started working again. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c1
Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c2
James Fehlig
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c3
Christian Boltz
I'm not able to reproduce on TW 20170825
20170825 sounds like you still have kernel 4.12.x. AppArmor ptrace mediation was introduced in kernel 4.13 (TW 20170913), so it's not surprising you don't see it ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
Antoine Belvire
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c8
--- Comment #8 from Christian Boltz
I've submitted a temporary fix to Factory based on latest upstream discussion: SR#527593. With the fix I'm also able to start confined domains.
I hope this is really only a *temporary* fix - the rules you added are very broad and allow much more than needed. (Feel free to forward this comment to the upstream mailinglist ;-) FYI: (u)mount, signal and pivot_root will be supported by kernel 4.14, and 4.15 will have unix and dbus rule support. Also, the plan (fate#323500) is to support them in Leap/SLE 15. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c9
--- Comment #9 from James Fehlig
I hope this is really only a *temporary* fix - the rules you added are very broad and allow much more than needed.
Definitely temporary. The changes are based on latest RFC version of patches from one of the Ubuntu devs. In the end, I'll replace it with whatever upstream finds acceptable.
(Feel free to forward this comment to the upstream mailinglist ;-)
I will, but assume some of the apparmor devs that lurk on the libvirt list will have the same opinion :-).
FYI: (u)mount, signal and pivot_root will be supported by kernel 4.14, and 4.15 will have unix and dbus rule support. Also, the plan (fate#323500) is to support them in Leap/SLE 15.
Do profile rules covering these checks need to be conditionalized based on version? I.e., is it safe to have signal rules when not supported by the kernel? I haven't noticed any problems with such rules on my kernel 4.13 TW machine. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c11
--- Comment #11 from Christian Boltz
Do profile rules covering these checks need to be conditionalized based on version? I.e., is it safe to have signal rules when not supported by the kernel? I haven't noticed any problems with such rules on my kernel 4.13 TW machine.
No problem - the only thing you need is a new enough apparmor_parser that understands signal etc. rules. AFAIK "new enough" means 2.9, so you won't hit any problems in Leap (2.10.x) or Tumbleweed (2.11). If the kernel does not know about a rule type, these rules (for example signal) will be ignored and signals will be allowed without any restrictions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c12
--- Comment #12 from James Fehlig
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c13
--- Comment #13 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c14
--- Comment #14 from James Fehlig
Can you please send v3? ;-)
I sent it based on Jamie's feedback, before seeing this response :-/.
+ ptrace (tace) peer=(label= {profile_name}),
should be
+ ptrace (trace) peer=@{profile_name},
That's "trace" instead of "tace", you'll need an @ to prefix variables, and ptrace rules don't accept the "peer=(label=...)" syntax ;-)
I verified apparmor_parser actually succeeds this time.
That said - what's the intention of this rule? IMHO the other two should be enough. (See also Jamie's mail https://www.redhat.com/archives/libvir-list/2017-September/msg00841.html - but he also missed the @ for the variable)
This rule was a failed attempt to squelch the below denial
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
Your added rules don't cover this, so you'll probably need another rule ptrace trace peer=libvirt-*,
Added in V3 https://www.redhat.com/archives/libvir-list/2017-September/msg00844.html
Also, it looks like you need to add /etc/libnl/classid r, to the virt-aa-helper profile.
I'll send a separate patch for that one. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c15
James Fehlig
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c16
--- Comment #16 from Christian Neyers
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847
http://bugzilla.opensuse.org/show_bug.cgi?id=1058847#c17
--- Comment #17 from Christian Neyers
Great to see, but I'm a tad confused about the current version in the Tumbleweed repositories.
The version I had issues with was 3.6.0-2.1. A zypper dup on 2017-09-25 didn't show any updates for me.
Yesterday, 3.7.0-1.1 was made available. After the update, everything works fine apparently.
Now here is my point: The apparmor patch is only included in 3.7.0-2.1. Why does it work already?
I made sure to replace my modified /etc/apparmor.d/usr.sbin.libvirtd with the one in libvirt-daemon-3.7.0-1.1.x86_64.rpm. grep'ing through /etc didn't show anything related to the new rules.
Also did an aa-enforce /etc/apparmor.d/usr.sbin.libvirtd.
Is there something I'm missing?
I'm sorry, this is invalid. Before posting, I seem to have done something (that I cannot remember) and now it's back to the expected state. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com