pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e59cfa4e50
libvirt/b482925c-apparmor-ptrace-support.patch
James Fehlig 51341f04c9 Accepting request 528889 from home:jfehlig:branches:Virtualization 
Fix various apparmor issues.

- apparmor: Add rules for kernel 4.13 ptrace checks
  b482925c-apparmor-ptrace-support.patch
  Drop temporary workaround apparmor-ptrace-support.patch
  bsc#1058847
- apparmor: Add rules for denial encountered when starting
  confined domains
  f305d8a1-apparmor-attach_disconnected.patch,
  suse-apparmor-libnl-paths.patch
  Drop old, useless, undocumented apparmor-fixes.patch

OBS-URL: https://build.opensuse.org/request/show/528889
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=624
2017-09-27 02:43:07 +00:00

62 lines
2.5 KiB
Diff
Raw Blame History

commit b482925c2277e906542faea52ef587a5c0aa1f5f
Author: Jim Fehlig <jfehlig@suse.com>
Date: Fri Sep 22 17:02:42 2017 -0600
apparmor: support ptrace checks
Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
With kernel 4.13 and apparmor 2.11, simply starting libvirtd
results in the following apparmor denial
type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Attempting to start an unconfined domain results in
type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
And attempting to start a confined domain results in
type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
Add ptrace rules to allow the trace operations.
Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Guido Günther <agx@sigxcpu.org>
Index: libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-3.7.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
network packet dgram,
network packet raw,
+ ptrace (trace) peer=unconfined,
+ ptrace (trace) peer=/usr/sbin/libvirtd,
+ ptrace (trace) peer=libvirt-*,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
Reference in New Issue View Git Blame Copy Permalink