Accepting request 532350 from home:jfehlig:branches:Virtualization

Incremental update of the libvirt package to fix bsc#1060860.

- apparmor: add dnsmasq ptrace rule to libvirtd profile
  c44b29aa-apparmor-dnsmasq-ptrace.patch
  bsc#1060860

OBS-URL: https://build.opensuse.org/request/show/532350
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=627
This commit is contained in:
James Fehlig 2017-10-06 23:21:18 +00:00 committed by Git OBS Bridge
parent 5f197ada50
commit de19f2680c
3 changed files with 69 additions and 0 deletions

View File

@ -0,0 +1,60 @@
commit c44b29aacb6a3f445ab06d61899a0308b9d6d0d3
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Oct 6 14:20:36 2017 -0600
apparmor: add dnsmasq ptrace rule to libvirtd profile
Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd
type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
peer="/usr/sbin/dnsmasq"
With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts
dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
A simple fix is to add a ptrace rule for dnsmasq.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Index: libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.8.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
@@ -39,6 +39,7 @@
ptrace (trace) peer=unconfined,
ptrace (trace) peer=/usr/sbin/libvirtd,
+ ptrace (trace) peer=/usr/sbin/dnsmasq,
ptrace (trace) peer=libvirt-*,
# Very lenient profile for libvirtd since we want to first focus on confining

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Oct 6 22:46:12 UTC 2017 - jfehlig@suse.com
- apparmor: add dnsmasq ptrace rule to libvirtd profile
c44b29aa-apparmor-dnsmasq-ptrace.patch
bsc#1060860
-------------------------------------------------------------------
Thu Oct 5 15:19:24 UTC 2017 - jfehlig@suse.com

View File

@ -309,6 +309,7 @@ Source4: libvirt-supportconfig
Source99: baselibs.conf
Source100: %{name}-rpmlintrc
# Upstream patches
Patch0: c44b29aa-apparmor-dnsmasq-ptrace.patch
# Patches pending upstream review
Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -882,6 +883,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
%prep
%setup -q
%patch0 -p1
%patch100 -p1
%patch101 -p1
%patch150 -p1