Ubuntu
libvirt package

"Failed to create chardev" due to apparmor DENIED execute of "/usr/lib/pt_chown"

Bug #1342083 reported by TJ
64
This bug affects 23 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

================================================
1. Impact: cannot create pts-backed serial console
2. Fix: grant qemu the needed permissions
3. Test case: Create a vm definition with the xml in #7.
4. Regression potential: there should be no regressions, however we are
   allowing vms to read the list of all fds for all processes (though not
   the fds themselves), and also allowing the use of pt_chown.
================================================

On 14.04 x86_64 a default QEMU VM fails to start (even before the install from ISO image stage) with:

2014-07-15 12:02:56.278+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/kvm-spice -name Test -S -machine pc-i440fx-trusty,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 7c06d584-db97-454c-c19d-a759f92b9572 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/Test.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-reboot -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/Test.img,if=none,id=drive-virtio-disk0,format=raw -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=2 -drive file=/home/all/VirtualMachines/iso/ubuntu-14.04-server-amd64.iso,if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1 -netdev tap,fd=25,id=hostnet0,vhost=on,vhostfd=26 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:01:ca:81,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
qemu-system-x86_64: -chardev pty,id=charserial0: Failed to create chardev
2014-07-15 12:02:56.494+0000: shutting down

With the kernel log showing:

Jul 15 13:02:56 hephaestion kernel: [48357.666272] audit: type=1400 audit(1405425776.174:72): apparmor="STATUS" operation="profile_load" name="libvirt-7c06d584-db97-454c-c19d-a759f92b9572" pid=22796 comm="apparmor_parser"
Jul 15 13:02:56 hephaestion kernel: [48357.744454] device vnet0 entered promiscuous mode
Jul 15 13:02:56 hephaestion kernel: [48357.752492] virbr0: port 1(vnet0) entered listening state
Jul 15 13:02:56 hephaestion kernel: [48357.752517] virbr0: port 1(vnet0) entered listening state
Jul 15 13:02:56 hephaestion kernel: [48357.811719] audit: type=1400 audit(1405425776.318:73): apparmor="DENIED" operation="open" profile="libvirt-7c06d584-db97-454c-c19d-a759f92b9572" name="/proc/22815/fd/" pid=22815 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=121 ouid=121
Jul 15 13:02:56 hephaestion kernel: [48357.811758] audit: type=1400 audit(1405425776.318:74): apparmor="DENIED" operation="exec" profile="libvirt-7c06d584-db97-454c-c19d-a759f92b9572" name="/usr/lib/pt_chown" pid=22815 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=121 ouid=0
Jul 15 13:02:56 hephaestion kernel: [48357.815363] virbr0: port 1(vnet0) entered disabled state
Jul 15 13:02:56 hephaestion kernel: [48357.816733] device vnet0 left promiscuous mode
Jul 15 13:02:56 hephaestion kernel: [48357.816754] virbr0: port 1(vnet0) entered disabled state
Jul 15 13:02:56 hephaestion kernel: [48358.195004] audit: type=1400 audit(1405425776.702:75): apparmor="STATUS" operation="profile_remove" name="libvirt-7c06d584-db97-454c-c19d-a759f92b9572" pid=22824 comm="apparmor_parser"

See original description
Revision history for this message
Phillip Sz (phillip-sz) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal:
apport-collect BUGNUMBER
When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Please show the xml for the failing domain.

Changed in libvirt (Ubuntu):
status: New → Incomplete
Revision history for this message
TJ (tj) wrote :

Serge, there is no XML since the failure occurred during the creation by virt-manager and it doesn't save a domain XML file if there's a creation failure, which was why I had to show the log outputs.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks - this is odd, as neither libvirt nor qemu should be calling pt_chown. I cannot reproduce this locally.

Could you please show screen-by-screen which options you are showing while creating the new VM in virt-manager?

Also please show the results of:

dpkg -l | grep libvirt
dpkg -l | grep qemu
which qemu-system-x86_64
ls -l `which qemu-system-x86_64`
sha1sum `which qemu-system-x86_64`
kvm-spice -version

Changed in libvirt (Ubuntu):
status: Incomplete → New
status: New → Incomplete
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]

Changed in libvirt (Ubuntu):
status: Incomplete → Expired
martin suchanek (martin-suc)
Changed in libvirt (Ubuntu):
status: Expired → Confirmed
Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note we are waiting for information to help debug this. Please do not re-mark this confirmed without first adding the information.

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote :

pt_chown is executed when adding a serial console backed by a pts chardev:

It is the same problem as https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/632696

      <serial type='pty'>
        <target port='0'/>
      </serial>

I get the same error on the second start of the VM after a reboot of the host, not on the first one (I don't know why).

Jun 9 04:06:24 host kernel: [ 2588.975014] audit: type=1400 audit(1433847984.691:97): apparmor="DENIED" operation="open" profile="libvirt-ee2d78ea-af2f-4e82-9b0e-ef75470ff81e" name="/proc/7809/fd/" pid=7809 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=108 ouid=108
Jun 9 04:06:24 host kernel: [ 2588.975073] audit: type=1400 audit(1433847984.691:98): apparmor="DENIED" operation="exec" profile="libvirt-ee2d78ea-af2f-4e82-9b0e-ef75470ff81e" name="/usr/lib/pt_chown" pid=7809 comm="qemu-system-x86" requested_mask="x" denied_mask="x" fsuid=108 ouid=0

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote :

Adding:

  /usr/lib/pt_chown ix,
  owner @{PROC}/[0-9]*/fd/* r,

To /etc/apparmor.d/abstractions/libvirt-qemu fixes the problem for me.

Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Could you please test whether just adding

  /usr/lib/pt_chown ix,
  owner @{PROC}/0-9*/fd/ r,

also suffices?

Changed in libvirt (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(ping)

Revision history for this message
Stephane Chazelas (stephane-chazelas) wrote :

Hi Serge, sorry, I wasn't receiving email notifications (I thought it happened automatically when one ticked "this affects me").

I can't test on that system as it's in production now. I may be able to test on another system later, but probably not in July. It shouldn't be difficult to reproduce though.

What worries me more here is that it sometimes work, as in it sometimes manages to run pt_chown even though apparmor should have prohibited it. It may be an indication that there's some security weakness here.

Revision history for this message
TJ (tj) wrote :

I made configuration changes when the issue originally occurred and despite reverting the ones I can identify cannot now reproduce the issue - although I suspect that is because I've forgotten one or more changes I made.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Ok, thanks - we will add that to the 1.2.16 merge, then we can SRU.

Please note here if you need this SRU'd to vivid, or only to trusty.

Changed in libvirt (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Stephane Chazelas (stephane-chazelas+lp) wrote :

Serge, I think the real question is how it can work for some people, without the

/usr/lib/pt_chown ix,

how can it work at all (for VMs with a serial port backed by a pty device, which should be the default with a typical libvirt deployment).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.16-2ubuntu3

---------------
libvirt (1.2.16-2ubuntu3) wily; urgency=medium

  * debian/apparmor/libvirt-qemu:
    allow serial console backed by pts chardev (LP: #1342083)

 -- Chris J Arges <email address hidden> Tue, 07 Jul 2015 16:38:17 -0500

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Serge Hallyn (serge-hallyn)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello TJ, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.15 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I got this on current wily:

[112561.711239] audit: type=1400 audit(1441743584.472:152): apparmor="DENIED" operation="open" profile="libvirt-e6d2c4fc-e234-4c35-f059-1bfa1fd67501" name="/proc/19534/fd/" pid=19534 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=121 ouid=121
[112561.712381] audit: type=1400 audit(1441743584.472:153): apparmor="DENIED" operation="capable" profile="libvirt-e6d2c4fc-e234-4c35-f059-1bfa1fd67501" pid=19534 comm="pt_chown" capability=3 capname="fowner"

removing the serial device is a workaround for now..

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@tjaalton,

can you show the contents of /etc/apparmor.d/abstractions/libvirt-qemu ?

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

here you go

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

nevermind, my issue was caused by piuparts messing the /dev/pts mount permissions..

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [libvirt/trusty] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for trusty for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I failed to reproduce the original problem, but the -proposed packages pass the qa regression tests in lp:qa-regression-tests.

tags: added: verification-done
removed: verification-needed
Revision history for this message
ravas (rex51) wrote :
Download full text (3.7 KiB)

Lubuntu 15.10 64bit, Lenovo t450s:

I too see this issue. I have this fix in /etc/apparmor.d/abstractions/libvirt-qemu:

    # allow serial console backed by pts chardev (LP: #1342083)
    /usr/lib/pt_chown ix,
    owner @{PROC}/0-9*/fd/ r,

but still see an apparmor issue in /var/log/kern.log. But it does seem intermittent. If I reboot this system, it'll probably work again.

kern.log:

Feb 24 10:31:39 rexs-t450s kernel: [68855.173512] audit: type=1400 audit(1456338699.233:57): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-5f4214d2-91d5-49ac-be10-dc1efa2ea391" pid=1541 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.173717] audit: type=1400 audit(1456338699.233:58): apparmor="STATUS" operation="profile_load" profile="unconfined" name="qemu_bridge_helper" pid=1541 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.218794] device vnet0 entered promiscuous mode
Feb 24 10:31:39 rexs-t450s kernel: [68855.234823] virbr1: port 2(vnet0) entered listening state
Feb 24 10:31:39 rexs-t450s kernel: [68855.234830] virbr1: port 2(vnet0) entered listening state
Feb 24 10:31:39 rexs-t450s kernel: [68855.444422] audit: type=1400 audit(1456338699.505:59): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5f4214d2-91d5-49ac-be10-dc1efa2ea391" pid=1625 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.454929] audit: type=1400 audit(1456338699.517:60): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="qemu_bridge_helper" pid=1625 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.494790] device vnet1 entered promiscuous mode
Feb 24 10:31:39 rexs-t450s kernel: [68855.510824] virbr2: port 2(vnet1) entered listening state
Feb 24 10:31:39 rexs-t450s kernel: [68855.510837] virbr2: port 2(vnet1) entered listening state
Feb 24 10:31:39 rexs-t450s kernel: [68855.658917] audit: type=1400 audit(1456338699.721:61): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-5f4214d2-91d5-49ac-be10-dc1efa2ea391" pid=1696 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.667013] audit: type=1400 audit(1456338699.729:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="qemu_bridge_helper" pid=1696 comm="apparmor_parser"
Feb 24 10:31:39 rexs-t450s kernel: [68855.732437] audit: type=1400 audit(1456338699.793:63): apparmor="DENIED" operation="open" profile="libvirt-5f4214d2-91d5-49ac-be10-dc1efa2ea391" name="/proc/1701/fd/" pid=1701 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=112 ouid=112
Feb 24 10:31:39 rexs-t450s kernel: [68855.733164] audit: type=1400 audit(1456338699.793:64): apparmor="DENIED" operation="capable" profile="libvirt-5f4214d2-91d5-49ac-be10-dc1efa2ea391" pid=1701 comm="pt_chown" capability=3 capname="fowner"
Feb 24 10:31:39 rexs-t450s kernel: [68855.738959] virbr2: port 2(vnet1) entered disabled state
Feb 24 10:31:39 rexs-t450s kernel: [68855.740443] device vnet1 left promiscuous mode
Feb 24 10:31:39 rexs-t450s kernel: [68855.740446] virbr2: port 2(vnet1) entered disabled state
Feb 24 10:31:39 rexs-t450s kernel: [68855.775011] virbr1:...

Read more...

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1342083] Re: "Failed to create chardev" due to apparmor DENIED execute of "/usr/lib/pt_chown"

Hi,

you should be able to work around it by adding

  capability fowner,

to that file. Note that /etc/apparmor.d/abstractions/libvirt-qemu on my
system already has that. I wonder whether your file libvirt-qemu abstractions
file may be out of date? Can you paste it here?

Revision history for this message
ravas (rex51) wrote :

Hi Serge,

libvirt-qemu file is attached on #23 :) Let me know what else you need.

Note: I did remove the serial console hardware component from the VM since I didn't need it, and things worked ok after that.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks - that's very odd, since your file actually does include 'capability fowner', which is what the syslog says was denied. Are these qemu vms, or are they containers?

Revision history for this message
ravas (rex51) wrote :

It's a VM (centos7-based system)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Oh, I misread, it's only a sub-policy that has cap-fowner.

pt_chown is not exactly trusted to begin with, so I'm not sure i want to allow all vms to run it with cap-fowner.

Not sure what the best way forward is.

Arulraj (arulraj.s)
Changed in libvirt (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Note to document this with the original issue:

with a a more recent libvirt/qemu stack (2.5/2.8) or later (maybe before but that is not important)
-chardev pty,id=charserial0
-device isa-serial,chardev=charserial0,id=serial0
(or both together)
work fine now even without this rule.

Upstream changed so we no more need to carry this in newer releases of libvirt/qemu.

Also this way to set up the consoles is in the default template of UVT, so it is usually tested early and often in a dev cycle if it would show up again.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.