On Thu, 2010-09-23 at 15:02 -0500, Jamie Strandboge wrote:
> > Hmm, that's a libvirt error rather than a QEMU error. Is the restricted
> > AppArmour policy taking effect *before* the actual QEMU binary is exec()d ?
>
> This is related to the stacked security driver implementation.
> Specifically, if I strace libvirtd, I see in one of its threads:
> gettid() = 20306
> open("/proc/20306/attr/current", O_WRONLY) = 3
> write(3, "changeprofile libvirt-7d781722-6"..., 58) = 58
> close(3) = 0
> chown("/tmp/qrt-test-libvirt/libvirt/qatest/qatest.img", 116, 123) = 0
> setregid(123, 123) = -1 EPERM (Operation not
> permitted)
>
> This chown appears to come from qemuSecurityDACSetProcessLabel(). What
> seems to be happening is that in __virExec() we call the security hook
> and the apparmor hook is being called before the DAC one, so we
> aa_change_profile() to the more restricted libvirt-<uuid> profile. It
> seems that it would be preferable to reverse the calling order of the
> hooks, but I am not sure how to do that.
Err.. of course I meant both the 'chown' and the 'setregid' appear to
come from qemuSecurityDACSetProcessLabel() and that it is the setregid
that is causing the error.
--
Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list