Bug 1312596 - virt-aa-helper does not support unix sockets after the VM has started
virt-aa-helper does not support unix sockets after the VM has started
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Libvirt Maintainers
Depends On:
  Show dependency treegraph
Reported: 2016-02-27 12:59 EST by Simon Arlott
Modified: 2016-04-08 08:17 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-08 08:17:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bugzilla.redhat.simon: needinfo-

Attachments (Terms of Use)

  None (edit)
Description Simon Arlott 2016-02-27 12:59:55 EST
Description of problem:
Using the "managedsave" command requires calling virt-aa-helper. If the VM has any unix sockets configured then virt-aa-helper will return an error because the unix sockets will exist when the VM is running, and virt-aa-helper rejects any filename which is an existing unix socket.

Version-Release number of selected component (if applicable): 1.2.16

How reproducible:
Start a VM with a unix socket configured and then try to use "managedsave".

Steps to Reproduce:
1. Start a VM with a unix socket configured
2. Use "virsh managedsave <domain>"

Actual results:
error: Failed to save domain <domain> state
error: internal error: cannot update AppArmor profile 'libvirt-<uuid>'

Expected results:
VM state is saved and the VM is stopped.

Additional info:
[pid  4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0
[pid  4921] lstat("/var", {st_mode=S_IFDIR|0755, st_size=100, ...}) = 0
[pid  4921] lstat("/var/lib", {st_mode=S_IFDIR|0755, st_size=716, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt/qemu", {st_mode=S_IFDIR|0750, st_size=108, ...}) = 0
[pid  4921] lstat("/var/lib/libvirt/qemu/<domain>.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0
[pid  4921] access("/var/lib/libvirt/qemu/<domain>.vnc", F_OK) = 0
[pid  4921] stat("/var/lib/libvirt/qemu/<domain>s.vnc", {st_mode=S_IFSOCK|0775, st_size=0, ...}) = 0
[pid  4921] write(2, "virt-aa-helper: error: /var/lib/libvirt/qemu/<domain>.vnc\n", 57) = 57
[pid  4921] write(2, "virt-aa-helper: error: skipped restricted file\n", 47) = 47
[pid  4921] write(2, "virt-aa-helper: error: invalid VM definition\n", 45) = 45
[pid  4921] +++ exited with 1 +++

The problem is the check that a filename that exists isn't of type S_IFSOCK in valid_path():
         switch (sb.st_mode & S_IFMT) {
             case S_IFSOCK:
                 return 1;
Comment 1 Cole Robinson 2016-03-21 18:28:52 EDT
Thanks for the clear bug report, but like I said in the other bug I don't think any of the committers who have an apparmor setup watch this tracker. Might be better off mailing the list (or proposing a patch with appropriate CCs)
Comment 2 Cole Robinson 2016-03-24 13:32:23 EDT
Hi Simon, I see you set needinfo- ... not sure if that was intentional or not? Do you plan to send the patches upstream? If not I can ping one of the apparmor guys to take a look
Comment 3 Simon Arlott 2016-03-27 11:38:47 EDT
I don't have any patches for this other than just removing the S_IFSOCK check entirely.
Comment 4 Cole Robinson 2016-04-07 16:01:48 EDT
CCing guido and cedric who patch virt-aa-helper on occasion
Comment 5 Guido Günther 2016-04-08 03:33:24 EDT
This was already fixed in a188c57d5432fce72daf818ccdb970ee6b71e936 if I read the logs correctly.
Comment 6 Cole Robinson 2016-04-08 08:17:07 EDT
Indeed, I missed that. Thanks Guido!

Note You need to log in before you can comment on or make changes to this bug.