apparmor denies virt-aa-helper access to ecryptfs files

Bug #591769 reported by Jamie Strandboge
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Jamie Strandboge
Lucid
Won't Fix
Low
Unassigned
Maverick
Fix Released
Low
Jamie Strandboge

Bug Description

/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper uses abstractions/base which has the following:
  owner @{HOME}/.Private/** mrixwlk,
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

This may be too strict for virt-aa-helper since it runs as root and user's may store there VMs in encrypted HOME or encrypted ~/Private with the files owned by the user, not root. The following should be added to /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper:
  @{HOME}/.Private/** mrixwlk,
  @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

Related branches

Changed in libvirt (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → Triaged
Changed in libvirt (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → lucid-updates
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Reducing to low. The files are still allowed access by the VM, so the apparmor denied message is more confusing than anything else.

Changed in libvirt (Ubuntu Lucid):
importance: Medium → Low
Changed in libvirt (Ubuntu Maverick):
importance: Medium → Low
Changed in libvirt (Ubuntu Maverick):
status: Triaged → In Progress
Changed in libvirt (Ubuntu Maverick):
milestone: none → maverick-alpha-2
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.5 KiB)

This bug was fixed in the package libvirt - 0.8.1-2ubuntu1

---------------
libvirt (0.8.1-2ubuntu1) maverick; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Fixes:
      LP: #522845
      LP: #553737
      LP: #520386
    - debian/control:
      + Build-Depends on qemu-kvm, not qemu
      + Build-Depends on open-iscsi-utils, not open-iscsi
      + Build-Depends on libxml2-utils
      + Build-Depends on libapparmor-dev and Suggests apparmor
      + Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
        to Depends of libvirt-bin
      + Drop qemu-kvm and qemu to Suggests
      + We call libxen-dev libxen3-dev, so change all references
      + Rename Vcs-* to XS-Debian-Vcs-*
    - debian/libvirt-bin.postinst:
      + rename the libvirt group to libvirtd
      + add each admin user to the libvirtd group
      + reload apparmor profiles
    - debian/libvirt-bin.postrm:
      + rename the libvirt group to libvirtd
      + remove apparmor symlinks on purge
    - debian/README.Debian: add AppArmor section based on the upstream
      documentation
    - debian/rules:
      + update DEB_DH_INSTALLINIT_ARGS for upstart
      + add DEB_MAKE_CHECK_TARGET := check
      + use --with-apparmor
      + copy apparmor and apport hook to debian/tmp
    - add debian/libvirt-bin.upstart
    - debian/libvirt-bin.dirs: add /etc/apparmor.d/abstractions,
      /etc/apparmor.d/disable, /etc/apparmor.d/force-complain,
      /etc/apparmor.d/libvirt, /etc/cron.daily and
      /usr/share/apport/package-hooks
    - add debian/libvirt-bin.cron.daily
    - add debian/libvirt-bin.apport
    - debian/libvirt-bin.install: install apparmor profiles, abstractions
      and apport hook
    - debian/apparmor:
      - add TEMPLATE
      - add libvirt-qemu abstraction
      - add usr.lib.libvirt.virt-aa-helper
      - add usr.sbin.libvirtd
    - debian/patches/series:
      + don't apply 0002-qemu-disable-network.diff.patch
      + don't apply 0005-Terminate-nc-on-EOF.patch. Use
        9010-autodetect-nc-params.patch instead
      + 9000-delayed_iff_up_bridge.patch (refreshed)
      + 9001-dont_clobber_existing_bridges.patch
      + 9002-better_default_uri_virsh.patch (updated)
      + 9004-better-default-arch.patch
      + 9005-libvirtd-group-name.patch
      + 9006-increase-unix-socket-timeout.patch (refreshed)
      + 9007-default-config-test-case.patch (updated)
      + 9008-fix-daemon-conf-ftbfs.patch (rewritten)
      + 9009-run-as-root-by-default.patch (refreshed)
      + 9010-autodetect-nc-params.patch (refreshed, formerly 9015)
      + 9011-dont-disable-ipv6.patch (updated)
  * Dropped following packaging changes, no longer required with upgrades
    from Lucid:
    - debian/control:
      + versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg
      + remove Build-Depends on libcap-ng-dev
    - debian/libvirt-bin.postinst: virt-aa-helper profile migration to
      /usr/lib/libvirt
    - debian/libvirt-bin.preinst: added to force complain on certain
      upgrades
  * Dropped the following patches, included upstream:
    - 0010-Use-base-16-for-product-vendor.patch
    - 9003-increase-logoutput-timeout.patch
    - 9010-apparmor-ftbfs...

Read more...

Changed in libvirt (Ubuntu Maverick):
status: In Progress → Fix Released
Changed in libvirt (Ubuntu Lucid):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking "Won't Fix" for the Lucid task. The problem is cosmetic and this bug is not really suitable for an SRU. Please feel free to reopen if you would like to pursue an SRU by following https://wiki.ubuntu.com/StableReleaseUpdates.

Changed in libvirt (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.