| Summary: | virt-aa-helper does not support unix sockets after the VM has started | ||
|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Simon Arlott <bugzilla.redhat.simon> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | agx, bugzilla.redhat.simon, cedric.bosdonnat.ooo, crobinso, dyuan, fjin, rbalakri |
| Target Milestone: | --- | Flags: | bugzilla.redhat.simon:
needinfo-
|
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-08 12:17:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Thanks for the clear bug report, but like I said in the other bug I don't think any of the committers who have an apparmor setup watch this tracker. Might be better off mailing the list (or proposing a patch with appropriate CCs) Hi Simon, I see you set needinfo- ... not sure if that was intentional or not? Do you plan to send the patches upstream? If not I can ping one of the apparmor guys to take a look I don't have any patches for this other than just removing the S_IFSOCK check entirely. CCing guido and cedric who patch virt-aa-helper on occasion This was already fixed in a188c57d5432fce72daf818ccdb970ee6b71e936 if I read the logs correctly. Indeed, I missed that. Thanks Guido! |
Description of problem: Using the "managedsave" command requires calling virt-aa-helper. If the VM has any unix sockets configured then virt-aa-helper will return an error because the unix sockets will exist when the VM is running, and virt-aa-helper rejects any filename which is an existing unix socket. Version-Release number of selected component (if applicable): 1.2.16 How reproducible: Start a VM with a unix socket configured and then try to use "managedsave". Steps to Reproduce: 1. Start a VM with a unix socket configured 2. Use "virsh managedsave <domain>" Actual results: error: Failed to save domain <domain> state error: internal error: cannot update AppArmor profile 'libvirt-<uuid>' Expected results: VM state is saved and the VM is stopped. Additional info: [pid 4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0 [pid 4921] lstat("/var", {st_mode=S_IFDIR|0755, st_size=100, ...}) = 0 [pid 4921] lstat("/var/lib", {st_mode=S_IFDIR|0755, st_size=716, ...}) = 0 [pid 4921] lstat("/var/lib/libvirt", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0 [pid 4921] lstat("/var/lib/libvirt/qemu", {st_mode=S_IFDIR|0750, st_size=108, ...}) = 0 [pid 4921] lstat("/var/lib/libvirt/qemu/<domain>.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0 [pid 4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0 [pid 4921] stat("/var/lib/libvirt/qemu/<domain>s.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0 [pid 4921] write(2, "virt-aa-helper: error: /var/lib/libvirt/qemu/<domain>.vnc\n", 57) = 57 [pid 4921] write(2, "virt-aa-helper: error: skipped restricted file\n", 47) = 47 [pid 4921] write(2, "virt-aa-helper: error: invalid VM definition\n", 45) = 45 [pid 4921] +++ exited with 1 +++ The problem is the check that a filename that exists isn't of type S_IFSOCK in valid_path(): switch (sb.st_mode & S_IFMT) { case S_IFSOCK: return 1; break; default: break; }