Accepting request 527592 from home:jfehlig:branches:Virtualization

Temporary fix for bsc#1058847, based on upstream patch under review.

- apparmor: add temporary profile fixes to allow starting domains
  apparmor-ptrace-support.patch
  bsc#1058847

OBS-URL: https://build.opensuse.org/request/show/527592
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=622
This commit is contained in:
James Fehlig 2017-09-20 17:19:37 +00:00 committed by Git OBS Bridge
parent f46b5b7971
commit c7c43f64ec
5 changed files with 103 additions and 3 deletions

View File

@ -2,12 +2,15 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc
=================================================================== ===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc
+++ libvirt-3.7.0/examples/apparmor/libvirt-lxc +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc
@@ -2,39 +2,15 @@ @@ -2,42 +2,19 @@
#include <abstractions/base> #include <abstractions/base>
- umount, - umount,
- dbus,
signal,
ptrace,
- # ignore DENIED message on / remount - # ignore DENIED message on / remount
- deny mount options=(ro, remount) -> /, - deny mount options=(ro, remount) -> /,
- -

View File

@ -0,0 +1,88 @@
commit e3bb609812776b30acfc0349b25b2e4d539c45c2
Author: Jim Fehlig <jfehlig@suse.com>
Date: Mon Sep 18 13:41:26 2017 -0600
apparmor: support ptrace checks
Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
When Apparmor is enabled and libvirtd is confined, attempting to start
a domain fails
virsh start test
error: Failed to start domain test
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
The audit log contains
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
It was also noticed that simply connecting to libvirtd (e.g. virsh list)
resulted in the following entries in the audit log
type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Both Apparmor denials can be fixed by supporting ptrace in the
libvirtd, qemu, and lxc profiles. While at it, also add support
for dbus, signal, and unix.
Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 4bfb503aa..0db137de0 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -3,6 +3,9 @@
#include <abstractions/base>
umount,
+ dbus,
+ signal,
+ ptrace,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index dcfb1a598..6a4a2335a 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -170,6 +170,9 @@
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
+ signal (receive) peer=/usr/sbin/libvirtd,
+ ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index acb59e071..9aadba411 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -36,6 +36,12 @@
network inet6 dgram,
network packet dgram,
network packet raw,
+ network netlink,
+
+ dbus bus=system,
+ signal,
+ ptrace,
+ unix,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com
- apparmor: add temporary profile fixes to allow starting domains
apparmor-ptrace-support.patch
bsc#1058847
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 15 17:29:55 UTC 2017 - jfehlig@suse.com Fri Sep 15 17:29:55 UTC 2017 - jfehlig@suse.com

View File

@ -310,6 +310,7 @@ Patch2: a0b62843-epyc-cpu-model.patch
# Patches pending upstream review # Patches pending upstream review
Patch100: libxl-dom-reset.patch Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
Patch102: apparmor-ptrace-support.patch
# Need to go upstream # Need to go upstream
Patch150: xen-pv-cdrom.patch Patch150: xen-pv-cdrom.patch
Patch151: blockcopy-check-dst-identical-device.patch Patch151: blockcopy-check-dst-identical-device.patch
@ -877,6 +878,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%patch2 -p1 %patch2 -p1
%patch100 -p1 %patch100 -p1
%patch101 -p1 %patch101 -p1
%patch102 -p1
%patch150 -p1 %patch150 -p1
%patch151 -p1 %patch151 -p1
%patch152 -p1 %patch152 -p1

View File

@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
=================================================================== ===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
+++ libvirt-3.7.0/examples/apparmor/libvirt-qemu +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
@@ -178,3 +178,6 @@ @@ -181,3 +181,6 @@
/sys/devices/system/node/ r, /sys/devices/system/node/ r,
/sys/devices/system/node/node[0-9]*/meminfo r, /sys/devices/system/node/node[0-9]*/meminfo r,
/sys/module/vhost/parameters/max_mem_regions r, /sys/module/vhost/parameters/max_mem_regions r,