LibvirtApparmor

Revision 1 as of 2018-06-19 15:20:39

Clear message

DRAFT: THIS PAGE IS STILL WIP

Contents

  1. Introduction
  2. Debugging Virtualization related apparmor issues

Introduction

Libvirt itself runs under a rather lenient profile as it needs to do so much, but the more important concerns are around breaking out of the guest. To further limit the damage in case such athing happend on Ubuntu Libvirt will by default wrap each qemu/kvm guest in it's own custom apparmor profile.

This profile consists of:

  • the base profile qemu/kvm always needs in /etc/apparmor.d/abstractions/libvirt-qemu

  • a generated per guest profile /etc/apparmor.d/libvirt/libvirt-<guestUUID>

For example every guest will need access to /dev/kvm and there is no reason to isolate that. But the for example there is no reason for a disk of a guest to be allowed to any other guest. For the latter the per guest profiles will be created from the XML description of the guest when it is started.

This conversion from Guest XML to the apparmor profile is done by the tool virt-aa-helper that usually is in /usr/lib/libvirt/virt-aa-helper. Virt-aa-helper needs to do some checks on files to generate rules, so it has it's own apparmor profile in /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper.

The most common issue around this are:

  • Using special features unknown to libvirt like http://blog.vmsplice.net/2011/04/how-to-pass-qemu-command-line-options.html. If you need to use a very very new libvirt feature that has no apparmor support yet or even the example of qemu-commandline above then virt-aa-helper just can't generate the rule for it. In the case of qemu-commandline it is - in the XML sense - invisible to virt-aa-helper as it is a different scope. In these cases you'd need to allow access to these paths to the generic base profile in /etc/apparmor.d/abstractions/libvirt-qemu to be accessible. To know what you need to add check dmesg -w when starting the guest (or atatching the device). This will already let you know the path, the profile and the requested permissions.

  • Special characters in filenames
    • This is not so common, but if it happens the error messages are often misleading. TODO: continue on details about how to get to the error messages TODO: Link bug
  • Using uncommon paths
    • TODO: /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper

In general it is worth, but due to its size also rather exhausting to look at enabling debug logging in libvirt.

Tweaking apparmor for KVM

TODO - local overrides TODO - unknown files, unclear logs TODO - we work on more of those as new apparmor features allow us to do so TODO example bug

Note: this page is referred to from program output, so please do not move the location of the page.