apparmor complains about write access to a readonly file
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libvirt (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Karmic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| Lucid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
| linux (Ubuntu) |
Fix Released
|
Medium
|
John Johansen | ||
| Karmic |
Fix Released
|
Medium
|
John Johansen | ||
| Lucid |
Fix Released
|
Medium
|
John Johansen | ||
Bug Description
When doing libvirt/apparmor ISO testing, I noticed that if I try to create a VM via an ISO image, I get the following apparmor denied message:
type=APPARMOR_
What is happening is that libvirt is for some reason trying to write to this file, but it shouldn't. virt-manager shows this device as readonly and the XML for the VM shows it too:
<disk type='file' device='cdrom'>
<source file='/
<target dev='hdc' bus='ide'/>
<readonly/>
</disk>
The installation proceeds just fine and this isn't a regression, but libvirt should not try to write to installation media like this. I encountered this when installing via virt-manager using the following: local ISO, os type: generic/generic, kvm/i686, 512, 1 vcpu, 8GB disk, don't allocate now
ProblemType: Bug
Architecture: amd64
Date: Fri Oct 16 12:47:32 2009
DistroRelease: Ubuntu 9.10
Package: libvirt-bin 0.7.0-1ubuntu11
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: libvirt
Uname: Linux 2.6.31-14-generic x86_64
- Dependencies.txt Edit (1.7 KiB, text/plain; charset="utf-8")
- XsessionErrors.txt Edit (15.3 KiB, text/plain; charset="utf-8")
I should clarify, this isn't a functional regression, but libvirt should not try to write to installation media like this. If apparmor were not enabled, libvirt could potentially change the installation media, which would be bad.
I looked into this a little more and believe this is a limitation of libvirt and kvm interaction. kvm doesn't seem to have a way to specify the image is readonly. The best option is to suppress the denied message since it will happen every time and lead to confusion in normal use (and debugging).
+ libvirt tries to write to open a file with write permissions for a
+ readonly ISO image
- readonly ISO image
+ apparmor complains about write access to a readonly ISO image
Talking with jjohansen, this is both a bug in the auditing code in the kernel and in libvirt. To fix this, we will need to perform an SRU to fix the kernel audit masking and libvirt to add a deny rule for the write access.
- libvirt_0.7.0-1ubuntu13.debdiff Edit (1.7 KiB, text/plain)
Here is a debdiff for libvirt. This should not be applied until the linux task is completed, otherwise we will get an audit message that 'r' was denied, when it wasn't
+ apparmor complains about write access to a readonly file
I have placed a test kernel at
http://
This kernel allows me to have things like this in the profile and have it work as expected:
"/home/
# don't audit writes to readonly media
deny "/home/
Ie, jj's kernel fixes this for me.
The latest version works well too:
http://
Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
SRU (libvirt)
Impact: confusing messages in kernel log. Told access to ISO is denied, but it is correctly allowed.
Bug is addressed in Lucid adding a deny rule for the 'w' action, which silences the message while still enforcing readonly
Patch is debian/
See comment #7
The regression potential is considered low. It passes the qa-regression-
I should also mention that libvirt should *MUST* be moved to karmic-updates at the same time or after the kernel SRU for this bug, ie 2.6.31-15.49.
This bug was fixed in the package libvirt - 0.7.0-1ubuntu14
---------------
libvirt (0.7.0-1ubuntu14) lucid; urgency=low
* debian/
added files (LP: #460271)
* debian/
apparmor denied message when kvm/qemu tries to open a libvirt specified
readonly file (such as a cdrom) with write permissions. libvirt uses the
readonly attribute for the security driver only, and has no way of telling
kvm/qemu that the device should be opened readonly. (LP: #453335)
* debian/
work (LP: #461528)
* debian/
allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
-- Jamie Strandboge <email address hidden> 2009年11月09日 17:11:05 -0600
Accepted libvirt into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
With libvirt 0.7.0-1ubuntu13.1 and kernel 2.6.31-
"/home/
# don't audit writes to readonly media
deny "/home/
Starting the VM results in access to the iso without the confusing denial message. In other words, this bug is fixed with the libvirt and kernel packages in -proposed.
Again, please do not copy libvirt to -updates before the kernel. Thanks!
Thanks for the testing.
I added a verification-failed tag purely to avoid me accidentally copying to -updates before the kernel. I'll revisit this when the kernel is in, then it can go to -updates.
removed: verification-needed
Both the kernel and libvirt are ready to go to -updates, so I remove the v-failed reminder tag now.
This bug was fixed in the package linux - 2.6.31-15.50
---------------
linux (2.6.31-15.50) karmic-proposed; urgency=low
[ Kees Cook ]
* SAUCE: Fix nx_enable reporting
- LP: #454285
linux (2.6.31-15.49) karmic-proposed; urgency=low
[ Benjamin Herrenschmidt ]
* [Upstream] (drop after 2.6.31) usb-storage: Workaround devices with
bogus sense size
- LP: #446146
[ John Johansen ]
* SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied
- LP: #453335
* SAUCE: AppArmor: Policy load and replacement can fail to alloc mem
- LP: #458299
* SAUCE: AppArmor: AppArmor fails to audit change_hat correctly
- LP: #462824
* SAUCE: AppArmor: AppArmor disallows truncate of deleted files.
- LP: #451375
[ Kees Cook ]
* SAUCE: [x86] fix report of cs-limit nx-emulation
- LP: #454285
[ Scott James Remnant ]
* Revert "SAUCE: trace: add trace_event for the open() syscall"
* SAUCE: trace: add trace events for open(), exec() and uselib()
- LP: #462111
[ Stefan Bader ]
* SAUCE: Fix sub-flavour script to not stop on missing directories
- LP: #453073
[ Tim Gardner ]
* [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege
M300 to rate blacklist
- LP: #433801
[ Upstream Kernel Changes ]
* PM: Make warning in suspend_
- LP: #464552
-- Stefan Bader <email address hidden> 2009年11月10日 14:31:52 +0100
This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1
---------------
libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low
* debian/
added files (LP: #460271)
* debian/
apparmor denied message when kvm/qemu tries to open a libvirt specified
readonly file (such as a cdrom) with write permissions. libvirt uses the
readonly attribute for the security driver only, and has no way of telling
kvm/qemu that the device should be opened readonly. (LP: #453335)
* debian/
work (LP: #461528)
* debian/
allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
-- Jamie Strandboge <email address hidden> 2009年11月09日 17:12:32 -0600
I think this is actually causing a moderately serious regression with snapshots.
If you look at the contents of an apparmor define for an example VM the deny that silences the error here also prevents snapshot commits from working and because the error is hidden makes this extra difficult to debug.
"/var/
"/var/
"/var/
"/run/
"/var/
"/run/
"/var/
"/var/
# don't audit writes to readonly files
deny "/var/lib/
/dev/vhost-net rw,
"/var/
The bug number for the snapshot bug is #453335
Correction the bug number for the other bug is #1004606