apparmor complains about write access to a readonly file

I should clarify, this isn't a functional regression, but libvirt should not try to write to installation media like this. If apparmor were not enabled, libvirt could potentially change the installation media, which would be bad.

I looked into this a little more and believe this is a limitation of libvirt and kvm interaction. kvm doesn't seem to have a way to specify the image is readonly. The best option is to suppress the denied message since it will happen every time and lead to confusion in normal use (and debugging).

Talking with jjohansen, this is both a bug in the auditing code in the kernel and in libvirt. To fix this, we will need to perform an SRU to fix the kernel audit masking and libvirt to add a deny rule for the write access.

Here is a debdiff for libvirt. This should not be applied until the linux task is completed, otherwise we will get an audit message that 'r' was denied, when it wasn't

I have placed a test kernel at
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.48~jj_amd64.deb

This kernel allows me to have things like this in the profile and have it work as expected:
  "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" r,
  # don't audit writes to readonly media
  deny "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" w,

Ie, jj's kernel fixes this for me.

The latest version works well too:
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-14-generic_2.6.31-14.49~jj_amd64.deb

Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

SRU (libvirt)

Impact: confusing messages in kernel log. Told access to ISO is denied, but it is correctly allowed.

Bug is addressed in Lucid adding a deny rule for the 'w' action, which silences the message while still enforcing readonly

Patch is debian/patches/9094-lp453335.patch

See comment #7

The regression potential is considered low. It passes the qa-regression-testing script. The added deny rule does nothing except silence a confusing denial message.

I should also mention that libvirt should *MUST* be moved to karmic-updates at the same time or after the kernel SRU for this bug, ie 2.6.31-15.49.

This bug was fixed in the package libvirt - 0.7.0-1ubuntu14

---------------
libvirt (0.7.0-1ubuntu14) lucid; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:11:05 -0600

Accepted libvirt into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

With libvirt 0.7.0-1ubuntu13.1 and kernel 2.6.31-15.49-generic, I get the following in /etc/apparmor.d/libvirt/libvirt-<uuid>.files:

  "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" r,
  # don't audit writes to readonly media
  deny "/home/jamie/vms/isos/karmic/karmic-server-amd64.iso" w,

Starting the VM results in access to the iso without the confusing denial message. In other words, this bug is fixed with the libvirt and kernel packages in -proposed.

Again, please do not copy libvirt to -updates before the kernel. Thanks!

Thanks for the testing.

I added a verification-failed tag purely to avoid me accidentally copying to -updates before the kernel. I'll revisit this when the kernel is in, then it can go to -updates.

Both the kernel and libvirt are ready to go to -updates, so I remove the v-failed reminder tag now.

This bug was fixed in the package linux - 2.6.31-15.50

---------------
linux (2.6.31-15.50) karmic-proposed; urgency=low

  [ Kees Cook ]

  * SAUCE: Fix nx_enable reporting
    - LP: #454285

linux (2.6.31-15.49) karmic-proposed; urgency=low

  [ Benjamin Herrenschmidt ]

  * [Upstream] (drop after 2.6.31) usb-storage: Workaround devices with
    bogus sense size
    - LP: #446146

  [ John Johansen ]

  * SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied
    - LP: #453335
  * SAUCE: AppArmor: Policy load and replacement can fail to alloc mem
    - LP: #458299
  * SAUCE: AppArmor: AppArmor fails to audit change_hat correctly
    - LP: #462824
  * SAUCE: AppArmor: AppArmor disallows truncate of deleted files.
    - LP: #451375

  [ Kees Cook ]

  * SAUCE: [x86] fix report of cs-limit nx-emulation
    - LP: #454285

  [ Scott James Remnant ]

  * Revert "SAUCE: trace: add trace_event for the open() syscall"
  * SAUCE: trace: add trace events for open(), exec() and uselib()
    - LP: #462111

  [ Stefan Bader ]

  * SAUCE: Fix sub-flavour script to not stop on missing directories
    - LP: #453073

  [ Tim Gardner ]

  * [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege
    M300 to rate blacklist
    - LP: #433801

  [ Upstream Kernel Changes ]

  * PM: Make warning in suspend_test_finish() less likely to happen
    - LP: #464552
 -- Stefan Bader <email address hidden> Tue, 10 Nov 2009 14:31:52 +0100

This bug was fixed in the package libvirt - 0.7.0-1ubuntu13.1

---------------
libvirt (0.7.0-1ubuntu13.1) karmic-proposed; urgency=low

  * debian/patches/9093-lp460271.patch: require absolute path for dynamic
    added files (LP: #460271)
  * debian/patches/9094-lp453335.patch: suppress confusing and misleading
    apparmor denied message when kvm/qemu tries to open a libvirt specified
    readonly file (such as a cdrom) with write permissions. libvirt uses the
    readonly attribute for the security driver only, and has no way of telling
    kvm/qemu that the device should be opened readonly. (LP: #453335)
  * debian/apparmor/usr.sbin.libvirtd: allow 'inet dgram' for migration to
    work (LP: #461528)
  * debian/apparmor/usr.sbin.libvirtd: properly support qemu+tcp:// by
    allowing 'inet6 stream' and 'inet6 dgram' (LP: #462000)
 -- Jamie Strandboge <email address hidden> Mon, 09 Nov 2009 17:12:32 -0600

I think this is actually causing a moderately serious regression with snapshots.

If you look at the contents of an apparmor define for an example VM the deny that silences the error here also prevents snapshot commits from working and because the error is hidden makes this extra difficult to debug.

  "/var/log/libvirt/**/OpenWRT.log" w,
  "/var/lib/libvirt/**/OpenWRT.monitor" rw,
  "/var/run/libvirt/**/OpenWRT.pid" rwk,
  "/run/libvirt/**/OpenWRT.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.OpenWRT" rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4-zfs-1.qcow2" rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" r,
  # don't audit writes to readonly files
  deny "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" w,
  /dev/vhost-net rw,
  "/var/lib/libvirt/images/openwrt-x86-kvm_guest-combined-ext4.img" rw,

The bug number for the snapshot bug is #453335

Correction the bug number for the other bug is #1004606