Accepting request 527593 from Virtualization

1 OBS-URL: https://build.opensuse.org/request/show/527593 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libvirt?expand=0&rev=235
2017-09-25 11:53:47 +00:00 · 2017-09-25 11:53:47 +00:00 · e434985d78
commit e434985d78
parent 3279228479 c7c43f64ec
5 changed files with 103 additions and 3 deletions
--- a/apparmor-no-mount.patch
+++ b/apparmor-no-mount.patch
@ -2,12 +2,15 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc
 +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc
-@@ -2,39 +2,15 @@
+@@ -2,42 +2,19 @@
 
   #include <abstractions/base>
 
 -  umount,
-
+   dbus,
+   signal,
+   ptrace,
+ 
 -  # ignore DENIED message on / remount
 -  deny mount options=(ro, remount) -> /,
 -
--- a/apparmor-ptrace-support.patch
+++ b/apparmor-ptrace-support.patch
@ -0,0 +1,88 @@
+commit e3bb609812776b30acfc0349b25b2e4d539c45c2
+Author: Jim Fehlig <jfehlig@suse.com>
+Date:   Mon Sep 18 13:41:26 2017 -0600
+
+    apparmor: support ptrace checks
+    
+    Kernel 4.13 introduced finer-grained ptrace checks
+    
+    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
+    
+    When Apparmor is enabled and libvirtd is confined, attempting to start
+    a domain fails
+    
+    virsh start test
+    error: Failed to start domain test
+    error: internal error: child reported: Kernel does not provide mount
+           namespace: Permission denied
+    
+    The audit log contains
+    
+    type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="/usr/sbin/libvirtd"
+    
+    It was also noticed that simply connecting to libvirtd (e.g. virsh list)
+    resulted in the following entries in the audit log
+    
+    type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="unconfined"
+    type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
+    operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
+    comm="libvirtd" requested_mask="trace" denied_mask="trace"
+    peer="unconfined"
+    
+    Both Apparmor denials can be fixed by supporting ptrace in the
+    libvirtd, qemu, and lxc profiles. While at it, also add support
+    for dbus, signal, and unix.
+    
+    Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
+
+diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
+index 4bfb503aa..0db137de0 100644
+--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
+@@ -3,6 +3,9 @@
+   #include <abstractions/base>
+ 
+   umount,
+  dbus,
+  signal,
+  ptrace,
+ 
+   # ignore DENIED message on / remount
+   deny mount options=(ro, remount) -> /,
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index dcfb1a598..6a4a2335a 100644
+--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
+@@ -170,6 +170,9 @@
+   @{PROC}/device-tree/** r,
+   /sys/firmware/devicetree/** r,
+ 
+  signal (receive) peer=/usr/sbin/libvirtd,
+  ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
+   # for gathering information about available host resources
+   /sys/devices/system/cpu/ r,
+   /sys/devices/system/node/ r,
+diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
+index acb59e071..9aadba411 100644
+--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
+@@ -36,6 +36,12 @@
+   network inet6 dgram,
+   network packet dgram,
+   network packet raw,
+  network netlink,
+
+  dbus bus=system,
+  signal,
+  ptrace,
+  unix,
+ 
+   # Very lenient profile for libvirtd since we want to first focus on confining
+   # the guests. Guests will have a very restricted profile.
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com
+
+- apparmor: add temporary profile fixes to allow starting domains
+  apparmor-ptrace-support.patch
+  bsc#1058847
+
 -------------------------------------------------------------------
 Fri Sep 15 17:29:55 UTC 2017 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -310,6 +310,7 @@ Patch2:         a0b62843-epyc-cpu-model.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
+Patch102:       apparmor-ptrace-support.patch
 # Need to go upstream
 Patch150:       xen-pv-cdrom.patch
 Patch151:       blockcopy-check-dst-identical-device.patch
@ -877,6 +878,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch2 -p1
 %patch100 -p1
 %patch101 -p1
+%patch102 -p1
 %patch150 -p1
 %patch151 -p1
 %patch152 -p1
--- a/qemu-apparmor-screenshot.patch
+++ b/qemu-apparmor-screenshot.patch
@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu
 ===================================================================
 --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu
 +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu
-@@ -178,3 +178,6 @@
+@@ -181,3 +181,6 @@
   /sys/devices/system/node/ r,
   /sys/devices/system/node/node[0-9]*/meminfo r,
   /sys/module/vhost/parameters/max_mem_regions r,