Accepting request 532350 from home:jfehlig:branches:Virtualization
Incremental update of the libvirt package to fix bsc#1060860. - apparmor: add dnsmasq ptrace rule to libvirtd profile c44b29aa-apparmor-dnsmasq-ptrace.patch bsc#1060860 OBS-URL: https://build.opensuse.org/request/show/532350 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=627
This commit is contained in:
parent
5f197ada50
commit
de19f2680c
60
c44b29aa-apparmor-dnsmasq-ptrace.patch
Normal file
60
c44b29aa-apparmor-dnsmasq-ptrace.patch
Normal file
@ -0,0 +1,60 @@
|
||||
commit c44b29aacb6a3f445ab06d61899a0308b9d6d0d3
|
||||
Author: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Fri Oct 6 14:20:36 2017 -0600
|
||||
|
||||
apparmor: add dnsmasq ptrace rule to libvirtd profile
|
||||
|
||||
Commit b482925c added ptrace rule for the apparmor profiles,
|
||||
but one was missed in the libvirtd profile for dnsmasq. It was
|
||||
overlooked since the test machine did not have an active libvirt
|
||||
network requiring dnsmasq that was also set to autostart. With
|
||||
one active and set to autostart, the following denial is observed
|
||||
in audit.log when restarting libvirtd
|
||||
|
||||
type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
|
||||
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
|
||||
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
|
||||
peer="/usr/sbin/dnsmasq"
|
||||
|
||||
With an active network, I suspect a libvirtd restart causes access
|
||||
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
|
||||
side affect of the denial, libvirtd thinks it needs to spawn a
|
||||
dnsmasq process even though one is already running for the network.
|
||||
E.g. after two libvirtd restarts
|
||||
|
||||
dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \
|
||||
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
||||
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
||||
|
||||
A simple fix is to add a ptrace rule for dnsmasq.
|
||||
|
||||
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
|
||||
Index: libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
|
||||
===================================================================
|
||||
--- libvirt-3.8.0.orig/examples/apparmor/usr.sbin.libvirtd
|
||||
+++ libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
|
||||
@@ -39,6 +39,7 @@
|
||||
|
||||
ptrace (trace) peer=unconfined,
|
||||
ptrace (trace) peer=/usr/sbin/libvirtd,
|
||||
+ ptrace (trace) peer=/usr/sbin/dnsmasq,
|
||||
ptrace (trace) peer=libvirt-*,
|
||||
|
||||
# Very lenient profile for libvirtd since we want to first focus on confining
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 6 22:46:12 UTC 2017 - jfehlig@suse.com
|
||||
|
||||
- apparmor: add dnsmasq ptrace rule to libvirtd profile
|
||||
c44b29aa-apparmor-dnsmasq-ptrace.patch
|
||||
bsc#1060860
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 5 15:19:24 UTC 2017 - jfehlig@suse.com
|
||||
|
||||
|
@ -309,6 +309,7 @@ Source4: libvirt-supportconfig
|
||||
Source99: baselibs.conf
|
||||
Source100: %{name}-rpmlintrc
|
||||
# Upstream patches
|
||||
Patch0: c44b29aa-apparmor-dnsmasq-ptrace.patch
|
||||
# Patches pending upstream review
|
||||
Patch100: libxl-dom-reset.patch
|
||||
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
|
||||
@ -882,6 +883,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch100 -p1
|
||||
%patch101 -p1
|
||||
%patch150 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user