ubuntu-kernel-tests

aa-logprof complained about libvirt include file not found

Bug #2000901 reported by Po-Hsu Lin on 2023-01-03

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-kernel-tests	Fix Released	Undecided	Unassigned

Bug Description

When you try to run aa-logprof on s390x instances (zVM / LPAR), it will complain about:
$ aa-logprof

ERROR: Include file /etc/apparmor.d/libvirt/libvirt-df90c3d2-e35c-4914-9b8a-a6958234d0e0.files not found
$ echo $?
1

This is causing test failures in ubuntu_qrt_apparmor tests, for those tests that will call aa-logprof, because of this non-zero return value:
* ApparmorTest.test_lp652674
* ApparmorTest.test_lp1243932_send
* ApparmorTest.test_lp1243932_receive
* ApparmorTest.test_lp1243932_bind
* ApparmorTestsuites.test_utils_testsuite
* ApparmorTestsuites.test_utils_testsuite3

One example output:
Running 'python3 ./test-apparmor.py -v ApparmorTest.test_lp652674'
Running test: './test-apparmor.py' distro: 'Ubuntu 22.10' kernel: '5.19.0-28.29 (Ubuntu 5.19.0-28.29-generic 5.19.17)' arch: 's390x' uid: 0/0 SUDO_USER: 'ubuntu')
test_lp652674 (__main__.ApparmorTest)
Test aa-logprof LP: #652674 ... FAIL

======================================================================
FAIL: test_lp652674 (__main__.ApparmorTest)
Test aa-logprof LP: #652674
----------------------------------------------------------------------
Traceback (most recent call last):
   File "/home/ubuntu/autotest/client/tmp/ubuntu_qrt_apparmor/src/qa-regression-testing/scripts/./test-apparmor.py", line 895, in test_lp652674
     self._test_logprof(log_contents, 0, 'SubDomain.pm')
   File "/home/ubuntu/autotest/client/tmp/ubuntu_qrt_apparmor/src/qa-regression-testing/scripts/./test-apparmor.py", line 889, in _test_logprof
     self.assertEqual(expected_rc, rc, result + report)
AssertionError: 0 != 1 : Got exit code 1, expected 0

ERROR: Include file /etc/apparmor.d/libvirt/libvirt-df90c3d2-e35c-4914-9b8a-a6958234d0e0.files not found

----------------------------------------------------------------------
Ran 1 test in 0.777s

FAILED (failures=1)
Skipping private tests

This is not a regression, it's just the ubuntu_qrt_apparmor test granularity improvement (bug 1982439) make it easier to spot this failure.

Take a closer look into /usr/lib/python3/dist-packages/apparmor/aa.py, this failure happens in loadincludes(), when trying to load the file in /etc/apparmor.d/libvirt/

$ ls
libvirt-6e3ec251-b475-43eb-bbc1-a7844b0d8e86 TEMPLATE.lxc TEMPLATE.qemu
$ cat libvirt-6e3ec251-b475-43eb-bbc1-a7844b0d8e86
#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile libvirt-6e3ec251-b475-43eb-bbc1-a7844b0d8e86 flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-6e3ec251-b475-43eb-bbc1-a7844b0d8e86.files>

}
$

The include file here, libvirt-6e3ec251-b475-43eb-bbc1-a7844b0d8e86.files, will cause this file not found error.

It seems this /etc/apparmor.d/libvirt/libvirt-* file was created with uvt-kvm. One new file will be created when we run the ubuntu_kvm_smoke_test once.

See original description

Tags:

Po-Hsu Lin (cypressyew) on 2023-01-03

description:

updated

Po-Hsu Lin (cypressyew) on 2023-01-03

description:	updated
summary:	- aa-logprof complained about include file not found on K-s390x + aa-logprof complained about libvirt include file not found on K-s390x

Po-Hsu Lin (cypressyew) on 2024-01-31

tags:	added: 5.15 jammy
tags:	added: sru-20240108

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2024-04-18: Re: aa-logprof complained about libvirt include file not found on K-s390x

This issue was opened for kinetic and hinted for K/L/M/N,
it does not exist any more in M, K/L EOL.
For N it's failing with a different issue.

Therefore I am going to close this bug and remove the hint.

Changed in ubuntu-kernel-tests:
status:	New → Fix Released

Revision history for this message

Georgia Garcia (georgiag) wrote on 2024-09-18 (last edit on 2024-09-18):

I'm commenting here in case anyone else bumps into this issue:

The libvirt-*.files file does not exist when the domain is not running, so if you're running an apparmor tool like aa-genprof or aa-logprof, they scan all profiles under /etc/apparmor.d/ and they expect a valid state for the policies - which these don't have because they include a file that does not exist unless the domain is running.
A fix was already submitted into libvirt: https://gitlab.com/libvirt/libvirt/-/commit/a2455fd53dbab9b15dc7b6b3e0ff11bfe19dec5c

but the easiest solution is to run:

sudo sed -i 's/include <libvirt/include if exists <libvirt/g' /etc/apparmor.d/libvirt/*

summary:

- aa-logprof complained about libvirt include file not found on K-s390x
+ aa-logprof complained about libvirt include file not found

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.