- apparmor: Allow lxc processes to receive signals from libvirt

lxc: Set default security model in XML parser config 0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch bsc#1179735 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=863
2020-12-07 23:13:45 +00:00 · 2020-12-07 23:13:45 +00:00 · 0b3a0a1f93
commit 0b3a0a1f93
parent b2cb9c7395
6 changed files with 162 additions and 4 deletions
--- a/0002-lxc-implement-connectGetAllDomainStats.patch
+++ b/0002-lxc-implement-connectGetAllDomainStats.patch
@ -22,7 +22,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
 
 #define VIR_FROM_THIS VIR_FROM_LXC
 
-@@ -5068,6 +5070,128 @@ lxcDomainHasManagedSaveImage(virDomainPt
+@@ -5071,6 +5073,128 @@ lxcDomainHasManagedSaveImage(virDomainPt
     return ret;
 }
 
@ -151,7 +151,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
 
 /* Function Tables */
 static virHypervisorDriver lxcHypervisorDriver = {
-@@ -5165,6 +5289,7 @@ static virHypervisorDriver lxcHypervisor
+@@ -5168,6 +5292,7 @@ static virHypervisorDriver lxcHypervisor
     .nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */
     .nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */
     .domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */
--- a/0d05d51b-apparmor-lxc-fix.patch
+++ b/0d05d51b-apparmor-lxc-fix.patch
@ -0,0 +1,40 @@
+commit 0d05d51b715390e08cd112f83e03b6776412aaeb
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Wed Dec 2 16:24:21 2020 -0700
+
+    apparmor: Allow lxc processes to receive signals from libvirt
+    
+    LXC processes confined by apparmor are not permitted to receive signals
+    from libvirtd. Attempting to destroy such a process fails
+    
+    virsh --connect lxc:/// destroy distro_apparmor
+     error: Failed to destroy domain distro_apparmor
+     error: Failed to kill process 29491: Permission denied
+    
+    And from /var/log/audit/audit.log
+    
+    type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
+    operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
+    pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
+    signal=term peer="libvirtd"
+    
+    Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
+    abstraction allowing reception of signals from libvirtd.
+    
+    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+    Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+
+Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc
+===================================================================
+--- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc
+@@ -1,5 +1,9 @@
+   #include <abstractions/base>
+ 
+ # Allow receiving signals from libvirtd
+  signal (receive) peer=libvirtd,
+  signal (receive) peer=/usr/sbin/libvirtd,
+
+   umount,
+ 
+   # ignore DENIED message on / remount
--- a/cf4e7e62-lxc-def-secmodel.patch
+++ b/cf4e7e62-lxc-def-secmodel.patch
@ -0,0 +1,108 @@
+commit cf4e7e620a3ecd109f23c8cdb577893d0e088201
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Thu Dec 3 11:55:24 2020 -0700
+
+    lxc: Set default security model in XML parser config
+    
+    Attempting to create a lxc domain with <seclabel type='none'/> fails
+    
+    virsh --connect lxc:/// create distro_nosec.xml
+    error: Failed to create domain from distro_nosec.xml
+    error: unsupported configuration: Security driver model '(null)' is not available
+    
+    Commit 638ffa2228 adjusted the logic for setting a driver's default
+    security model.
+    
+    The lxc driver does not set a default security driver model in the XML
+    parser config, causing seclabels of type='none' to have a null model.
+    The lxc driver's security manager is initialized in lxcStateInitialize()
+    by calling lxcSecurityInit(). Use the model of this manager as the
+    default in the XML parser config.
+    
+    For the record, this is a regression caused by commit 638ffa2228, which
+    changed the logic for setting a driver's default security model. The
+    qemu driver was adjusted accordingly, but a similar change was missed
+    in the lxc driver.
+    
+    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
+    Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+
+Index: libvirt-6.10.0/src/lxc/lxc_conf.c
+===================================================================
+--- libvirt-6.10.0.orig/src/lxc/lxc_conf.c
+++ libvirt-6.10.0/src/lxc/lxc_conf.c
+@@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(v
+ 
+ 
+ virDomainXMLOptionPtr
+-lxcDomainXMLConfInit(virLXCDriverPtr driver)
+lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel)
+ {
+     virLXCDriverDomainDefParserConfig.priv = driver;
+    virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel;
+     return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
+                                  &virLXCDriverPrivateDataCallbacks,
+                                  &virLXCDriverDomainXMLNamespace,
+Index: libvirt-6.10.0/src/lxc/lxc_conf.h
+===================================================================
+--- libvirt-6.10.0.orig/src/lxc/lxc_conf.h
+++ libvirt-6.10.0/src/lxc/lxc_conf.h
+@@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverC
+ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver);
+ virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
+                                        bool refresh);
+-virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver);
+virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver,
+                                           const char *defsecmodel);
+ 
+ static inline void lxcDriverLock(virLXCDriverPtr driver)
+ {
+Index: libvirt-6.10.0/src/lxc/lxc_controller.c
+===================================================================
+--- libvirt-6.10.0.orig/src/lxc/lxc_controller.c
+++ libvirt-6.10.0/src/lxc/lxc_controller.c
+@@ -169,7 +169,7 @@ virLXCControllerDriverNew(void)
+     }
+ 
+     driver->caps = virLXCDriverCapsInit(NULL);
+-    driver->xmlopt = lxcDomainXMLConfInit(driver);
+    driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
+ 
+     return driver;
+ }
+Index: libvirt-6.10.0/src/lxc/lxc_driver.c
+===================================================================
+--- libvirt-6.10.0.orig/src/lxc/lxc_driver.c
+++ libvirt-6.10.0/src/lxc/lxc_driver.c
+@@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privi
+ {
+     virLXCDriverConfigPtr cfg = NULL;
+     bool autostart = true;
+    const char *defsecmodel;
+ 
+     if (root != NULL) {
+         virReportError(VIR_ERR_INVALID_ARG, "%s",
+@@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privi
+     if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
+         goto cleanup;
+ 
+-    if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
+    defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
+
+    if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
+         goto cleanup;
+ 
+     if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew()))
+Index: libvirt-6.10.0/tests/testutilslxc.c
+===================================================================
+--- libvirt-6.10.0.orig/tests/testutilslxc.c
+++ libvirt-6.10.0/tests/testutilslxc.c
+@@ -71,7 +71,7 @@ testLXCDriverInit(void)
+     }
+ 
+     driver->caps = testLXCCapsInit();
+-    driver->xmlopt = lxcDomainXMLConfInit(driver);
+    driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
+ 
+     return driver;
+ }
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Dec  7 23:11:45 UTC 2020 - James Fehlig <jfehlig@suse.com>
+
+- apparmor: Allow lxc processes to receive signals from libvirt
+  lxc: Set default security model in XML parser config
+  0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch
+  bsc#1179735
+
 -------------------------------------------------------------------
 Tue Dec  1 23:55:16 UTC 2020 - James Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -291,6 +291,8 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         0d05d51b-apparmor-lxc-fix.patch
+Patch1:         cf4e7e62-lxc-def-secmodel.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
--- a/lxc-wait-after-eth-del.patch
+++ b/lxc-wait-after-eth-del.patch
@ -37,7 +37,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
 #include "virstring.h"
 #include "viraccessapicheck.h"
 #include "viraccessapichecklxc.h"
-@@ -3546,6 +3547,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive
+@@ -3549,6 +3550,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive
         case VIR_DOMAIN_NET_TYPE_NETWORK:
         case VIR_DOMAIN_NET_TYPE_ETHERNET:
             ignore_value(virNetDevVethDelete(veth));
@ -45,7 +45,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
             break;
 
         case VIR_DOMAIN_NET_TYPE_DIRECT:
-@@ -3985,6 +3987,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
+@@ -3988,6 +3990,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
             virDomainAuditNet(vm, detach, NULL, "detach", false);
             goto cleanup;
         }