Open majduk opened 4 years ago
Saviq
commented
4 years ago This profile comes from upstream libvirt… It's weird to me that libvirtd even tries to trace Multipass, and unclear whether that should be allowed…
Would you please file this as a bug upstream and see what their reaction is?
dstathis
commented
3 years ago I'm experiencing this ass well and it makes syslog kind of unusable as it is just filled with these denials.
NHellFire
commented
3 years ago Seeing this too with v1.7.0 and 1.8.0-dev.346+gea7f2c38 and it prevents using libvirt with multipass. Attempts to start an instance always return "Cannot connect to libvirtd". Host is Ubuntu 20.04.2
snap info:
# snap list multipass
Name Version Rev Tracking Publisher Notes
multipass 1.8.0-dev.346+gea7f2c38 5240 latest/edge canonical✓ -
# snap connections multipass
Interface Plug Slot Notes
firewall-control multipass:firewall-control :firewall-control -
home multipass:all-home :home -
home multipass:home :home -
kvm multipass:kvm :kvm -
libvirt multipass:libvirt :libvirt manual
lxd multipass:lxd lxd:lxd -
multipass-support multipass:multipass-support :multipass-support -
network multipass:network :network -
network-bind multipass:network-bind :network-bind -
network-control multipass:network-control :network-control -
network-manager multipass:network-manager :network-manager -
network-observe multipass:network-observe :network-observe -
removable-media multipass:removable-media - -
system-observe multipass:system-observe :system-observe -
unity7 multipass:unity7 :unity7 -
wayland multipass:wayland :wayland -
x11 multipass:x11 :x11 -Set driver to libvirt and try starting an instance:
# multipass set local.driver=libvirt
[4072386.055143] audit: type=1400 audit(1628988984.525:1304): apparmor="STATUS" operation="profile_remove" profile="snap.multipass.multipassd" name="multipass.dnsmasq" pid=3750385 comm="apparmor_parser"
[4072386.515333] audit: type=1400 audit(1628988984.985:1305): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=475455 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.multipass.multipassd"
[4072388.471504] audit: type=1400 audit(1628988986.941:1306): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=475455 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.multipass.multipassd"
[4072388.472357] audit: type=1400 audit(1628988986.945:1307): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=475455 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.multipass.multipassd"
[4072388.473294] audit: type=1400 audit(1628988986.945:1308): apparmor="DENIED" operation="capable" profile="snap.multipass.multipassd" pid=3750388 comm="multipassd" capability=4 capname="fsetid"
# multipass launch -n focal-test focal
[4072394.925480] audit: type=1400 audit(1628988993.397:1309): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=475455 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.multipass.multipassd"
[4072394.931297] audit: type=1400 audit(1628988993.401:1310): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=475455 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.multipass.multipassd"
launch failed: Cannot connect to libvirtd: Failed to open file '/proc/3750388/stat': No such file or directory
Please ensure libvirt is installed and running.Allow ptrace and start an instance:
# echo " ptrace (read,trace) peer=snap.multipass.multipassd," >> /etc/apparmor.d/local/usr.sbin.libvirtd
# apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd
[4072423.667256] audit: type=1400 audit(1628989022.137:1311): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirtd" pid=3750563 comm="apparmor_parser"
[4072423.708080] audit: type=1400 audit(1628989022.181:1312): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirtd//qemu_bridge_helper" pid=3750563 comm="apparmor_parser"
# multipass launch -n focal-test focal
Launched: focal-test
freedge
commented
3 years ago Would you please file this as a bug upstream and see what their reaction is?
https://gitlab.com/libvirt/libvirt/-/issues/234
this prevents the usage of the libvirt driver in multipass.
Describe the bug Libvirt blocks ptrace call from multipass even when the interface is connected.
The entry fills up the logs quite quickly. Additionally due to this issue, CLI interface responds extremely slow.
To Reproduce How, and what happened?
snap connect multipass:libvirtExpected behavior There should not be any denied log entries.
Adding stanza to
/etc/apparmor.d/usr.sbin.libvirtdsolves the problem:Logs Sep 23 10:48:31 physical kernel: [ 976.038874] audit: type=1400 audit(1600850911.988:1237): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1149 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="snap.multipass.multipassd" Sep 23 10:48:31 physical kernel: [ 976.040919] audit: type=1400 audit(1600850911.992:1238): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1149 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="snap.multipass.multipassd" Sep 23 10:48:32 physical kernel: [ 977.042526] audit: type=1400 audit(1600850912.992:1239): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1149 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="snap.multipass.multipassd" Sep 23 10:48:33 physical kernel: [ 977.044151] audit: type=1400 audit(1600850912.996:1240): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1149 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="snap.multipass.multipassd"
Additional info
multipass version1.4.0multipass info --all