Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apparmor denies loading modules on 14.04.5+ #2

Open
dejonghb opened this issue Aug 17, 2016 · 5 comments

Comments

Projects
None yet
3 participants
@dejonghb
Copy link
Member

commented Aug 17, 2016

On an fresh installed ubuntu LTS 14.04 (results in 14.04.5 now) loading of the .so files from /usr/lib/x86_64-linux-gnu/qemu is denied by apparmor

Failed to open module: /usr/lib/x86_64-linux-gnu/qemu/block-curl.so: failed to map segment from shared object: Permission denied
Failed to open module: /usr/lib/x86_64-linux-gnu/qemu/block-rbd.so: failed to map segment from shared object: Permission denied
Failed to open module: /usr/lib/x86_64-linux-gnu/qemu/block-openvstorage.so: failed to map segment from shared object: Permission denied

where dmesg has

[Wed Aug 17 12:36:30 2016] type=1400 audit(1471430192.746:197): apparmor="DENIED" operation="file_mmap" profile="libvirt-1a44dafb-c8df-532a-8444-c052167d18ac" name="/usr/lib/x86_64-linux-gnu/qemu/block-curl.so" pid=20443 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=105 ouid=0
[Wed Aug 17 12:36:30 2016] type=1400 audit(1471430192.746:198): apparmor="DENIED" operation="file_mmap" profile="libvirt-1a44dafb-c8df-532a-8444-c052167d18ac" name="/usr/lib/x86_64-linux-gnu/qemu/block-rbd.so" pid=20443 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=105 ouid=0
[Wed Aug 17 12:36:30 2016] type=1400 audit(1471430192.746:199): apparmor="DENIED" operation="file_mmap" profile="libvirt-1a44dafb-c8df-532a-8444-c052167d18ac" name="/usr/lib/x86_64-linux-gnu/qemu/block-openvstorage.so" pid=20443 comm="qemu-system-x86" requested_mask="m" denied_mask="m" fsuid=105 ouid=0

Newer /etc/apparmor.d/abstractions/libvirt-qemu has (among others) following lines added:

for qemu-block-extra

/usr/lib/@{multiarch}/qemu/*.so rm,

@wimpers

This comment has been minimized.

Copy link

commented Sep 7, 2016

@dejonghb What should be done to tackle this ticket? Do we need to create a new QEMU build?

@dejonghb

This comment has been minimized.

Copy link
Member Author

commented Sep 7, 2016

/etc/apparmor.d/abstractions/libvirt-qemu comes from the libvirt-bin package, which is something we provide via our apt repo and is built from https://github.com/openvstorage/libvirt (private)

Sure looks like the libvirt repo needs updating to be on par with newer ubuntu releases. No idea which upstream was used and if any ubuntisms are included or not; but @cnanakos should be able to provide more info on that.

@cnanakos

This comment has been minimized.

Copy link
Contributor

commented Sep 7, 2016

There are no changes included besides the ones for OpenvStorage. The package is based on the one provided by the official Ubuntu packages (1.2.2-0ubuntu13.1.17).

@wimpers

This comment has been minimized.

Copy link

commented Dec 12, 2016

@dejonghb @cnanakos is this still relevant as we have moved to 16.04 or can we close this ticket?

@dejonghb

This comment has been minimized.

Copy link
Member Author

commented Dec 12, 2016

If all is fine on 16.04 -- has this been checked/tested ? -- and 14.04.x is considered obsolete, no problem with closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.