From c7c43f64ec8ae9fccbfe7e90ed440beeb2b1a60cb335afc06cfa10eb9a930294 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Wed, 20 Sep 2017 17:19:37 +0000 Subject: [PATCH] Accepting request 527592 from home:jfehlig:branches:Virtualization Temporary fix for bsc#1058847, based on upstream patch under review. - apparmor: add temporary profile fixes to allow starting domains apparmor-ptrace-support.patch bsc#1058847 OBS-URL: https://build.opensuse.org/request/show/527592 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=622 --- apparmor-no-mount.patch | 7 ++- apparmor-ptrace-support.patch | 88 ++++++++++++++++++++++++++++++++++ libvirt.changes | 7 +++ libvirt.spec | 2 + qemu-apparmor-screenshot.patch | 2 +- 5 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 apparmor-ptrace-support.patch diff --git a/apparmor-no-mount.patch b/apparmor-no-mount.patch index 5614ea4..67e03d6 100644 --- a/apparmor-no-mount.patch +++ b/apparmor-no-mount.patch @@ -2,12 +2,15 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc -@@ -2,39 +2,15 @@ +@@ -2,42 +2,19 @@ #include - umount, -- + dbus, + signal, + ptrace, + - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - diff --git a/apparmor-ptrace-support.patch b/apparmor-ptrace-support.patch new file mode 100644 index 0000000..6e8a3bf --- /dev/null +++ b/apparmor-ptrace-support.patch @@ -0,0 +1,88 @@ +commit e3bb609812776b30acfc0349b25b2e4d539c45c2 +Author: Jim Fehlig +Date: Mon Sep 18 13:41:26 2017 -0600 + + apparmor: support ptrace checks + + Kernel 4.13 introduced finer-grained ptrace checks + + https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 + + When Apparmor is enabled and libvirtd is confined, attempting to start + a domain fails + + virsh start test + error: Failed to start domain test + error: internal error: child reported: Kernel does not provide mount + namespace: Permission denied + + The audit log contains + + type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="/usr/sbin/libvirtd" + + It was also noticed that simply connecting to libvirtd (e.g. virsh list) + resulted in the following entries in the audit log + + type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="unconfined" + type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="unconfined" + + Both Apparmor denials can be fixed by supporting ptrace in the + libvirtd, qemu, and lxc profiles. While at it, also add support + for dbus, signal, and unix. + + Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 + +diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc +index 4bfb503aa..0db137de0 100644 +--- a/examples/apparmor/libvirt-lxc ++++ b/examples/apparmor/libvirt-lxc +@@ -3,6 +3,9 @@ + #include + + umount, ++ dbus, ++ signal, ++ ptrace, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, +diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu +index dcfb1a598..6a4a2335a 100644 +--- a/examples/apparmor/libvirt-qemu ++++ b/examples/apparmor/libvirt-qemu +@@ -170,6 +170,9 @@ + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + ++ signal (receive) peer=/usr/sbin/libvirtd, ++ ptrace (tracedby) peer=/usr/sbin/libvirtd, ++ + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, +diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd +index acb59e071..9aadba411 100644 +--- a/examples/apparmor/usr.sbin.libvirtd ++++ b/examples/apparmor/usr.sbin.libvirtd +@@ -36,6 +36,12 @@ + network inet6 dgram, + network packet dgram, + network packet raw, ++ network netlink, ++ ++ dbus bus=system, ++ signal, ++ ptrace, ++ unix, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. diff --git a/libvirt.changes b/libvirt.changes index 04da877..40d8206 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com + +- apparmor: add temporary profile fixes to allow starting domains + apparmor-ptrace-support.patch + bsc#1058847 + ------------------------------------------------------------------- Fri Sep 15 17:29:55 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 61b919b..1423d11 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -310,6 +310,7 @@ Patch2: a0b62843-epyc-cpu-model.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch +Patch102: apparmor-ptrace-support.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -877,6 +878,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch2 -p1 %patch100 -p1 %patch101 -p1 +%patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch index 20a9b1b..83c9272 100644 --- a/qemu-apparmor-screenshot.patch +++ b/qemu-apparmor-screenshot.patch @@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu -@@ -178,3 +178,6 @@ +@@ -181,3 +181,6 @@ /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/module/vhost/parameters/max_mem_regions r,