Bug 1312596 - virt-aa-helper does not support unix sockets after the VM has started
Summary: virt-aa-helper does not support unix sockets after the VM has started
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-27 17:59 UTC by Simon Arlott
Modified: 2016-04-08 12:17 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-08 12:17:07 UTC
bugzilla.redhat.simon: needinfo-

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Simon Arlott 2016-02-27 17:59:55 UTC 
Description of problem:
Using the "managedsave" command requires calling virt-aa-helper. If the VM has any unix sockets configured then virt-aa-helper will return an error because the unix sockets will exist when the VM is running, and virt-aa-helper rejects any filename which is an existing unix socket.


Version-Release number of selected component (if applicable): 1.2.16


How reproducible:
Start a VM with a unix socket configured and then try to use "managedsave".


Steps to Reproduce:
1. Start a VM with a unix socket configured
2. Use "virsh managedsave <domain>"


Actual results:
error: Failed to save domain <domain> state
error: internal error: cannot update AppArmor profile 'libvirt-<uuid>'


Expected results:
VM state is saved and the VM is stopped.


Additional info:
[pid  4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0
[pid  4921] lstat("/var", {st_mode=S_IFDIR|0755, st_size=100, ...}) = 0
[pid  4921] lstat("/var/lib", {st_mode=S_IFDIR|0755, st_size=716, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt/qemu", {st_mode=S_IFDIR|0750, st_size=108, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt/qemu/<domain>.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0
[pid  4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0
[pid  4921] stat("/var/lib/libvirt/qemu/<domain>s.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0
[pid  4921] write(2, "virt-aa-helper: error: /var/lib/libvirt/qemu/<domain>.vnc\n", 57) = 57
[pid  4921] write(2, "virt-aa-helper: error: skipped restricted file\n", 47) = 47
[pid  4921] write(2, "virt-aa-helper: error: invalid VM definition\n", 45) = 45
[pid  4921] +++ exited with 1 +++

The problem is the check that a filename that exists isn't of type S_IFSOCK in valid_path():
 
         switch (sb.st_mode & S_IFMT) {
             case S_IFSOCK:
                 return 1;
                 break;
             default:
                 break;
         }
Comment 1 Cole Robinson 2016-03-21 22:28:52 UTC 
Thanks for the clear bug report, but like I said in the other bug I don't think any of the committers who have an apparmor setup watch this tracker. Might be better off mailing the list (or proposing a patch with appropriate CCs)
Comment 2 Cole Robinson 2016-03-24 17:32:23 UTC 
Hi Simon, I see you set needinfo- ... not sure if that was intentional or not? Do you plan to send the patches upstream? If not I can ping one of the apparmor guys to take a look
Comment 3 Simon Arlott 2016-03-27 15:38:47 UTC 
I don't have any patches for this other than just removing the S_IFSOCK check entirely.
Comment 4 Cole Robinson 2016-04-07 20:01:48 UTC 
CCing guido and cedric who patch virt-aa-helper on occasion
Comment 5 Guido Günther 2016-04-08 07:33:24 UTC 
This was already fixed in a188c57d5432fce72daf818ccdb970ee6b71e936 if I read the logs correctly.
Comment 6 Cole Robinson 2016-04-08 12:17:07 UTC 
Indeed, I missed that. Thanks Guido!
Note You need to log in before you can comment on or make changes to this bug.