Hello Guido, I have great news. I'm able to successfully live attach a disk to a running VM with a loaded apparmor profile. My setup: Debian 8 Kernel 4.9.11 Libvirt 3.1.0 Apparmor 2.10 from Debian backports With same software and apparmor 2.9 from the stable Debian repo it fails. So apparently 2.10 has upstream fixes/patches which solve the reload profile bug? Hope this new insight helps you find the commit and backport it to apparmor 2.9 stable? Thanks, Frank Sent from my iPhone
On 24 Mar 2017, at 09:17, Guido Günther <agx@sigxcpu.org> wrote:
On Thu, Mar 23, 2017 at 01:28:57PM +0100, Cedric Bosdonnat wrote: Hello Frank,
I'm currently investigating some apparmor-related bug with namespaces. This one is surely related. I'll look into it when I'm done with the one I'm working on.
Assuming you're running the Jessie Kernel its likely:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002
To make sure it's the kernel and not libvirt have a look at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805002#51
Cheers, -- Guido
-- Cedric
On Thu, 2017-03-23 at 12:07 +0000, Frank Schreuder wrote: Hello,
I'm running libvirt 3.1.0 on a Debian 8 server. I installed apparmor and configured libvirt to use apparmor as security driver. After booting a VM, virsh dumpxml shows an apparmor seclabel.
As soon as I try to attach a second disk to the VM, apparmor blocks this.
virsh attach-device test-vps /tmp/virshXmlDefinition error: Failed to attach device from /tmp/virshXmlDefinition error: operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
Syslogs shows me the following: Mar 22 17:45:20 vps0 kernel: [1136647.318314] audit: type=1400 audit(1490201120.577:30): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="r" denied_mask="r" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 kernel: [1136647.325155] audit: type=1400 audit(1490201120.577:31): apparmor="DENIED" operation="open" profile="libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859" name="/mnt/images/disk2.raw" pid=13453 comm="kvm" requested_mask="rw" denied_mask="rw" fsuid=996 ouid=33 Mar 22 17:45:20 vps0 libvirtd[10282]: 2017-03-22 16:45:20.596+0000: 10283: error : qemuMonitorTextAddDrive:1968 : operation failed: Could not open '/mnt/images/disk2.raw': Permission denied
In the VM specific apparmor file /etc/apparmor.d/libvirt/libvirt-5747e4db-a3b7-fd69-ca89-00007b0bf859.files I see: "/mnt/images/disk1.raw" rw,
Which is my primary VM disk, I expected a virsh attach-device to append /mnt/images/disk2.raw to this file and reload/refresh the apparmor profile?
I'm not able to attach a live disk to a running VM with apparmor. Am I missing something? Or is this a bug/missing feature in libvirt?
Thanks, Frank -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list