diff --git a/apparmor-fixes.patch b/apparmor-fixes.patch deleted file mode 100644 index 2f364a8..0000000 --- a/apparmor-fixes.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu -=================================================================== ---- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu -+++ libvirt-3.7.0/examples/apparmor/libvirt-qemu -@@ -156,6 +156,9 @@ - # for restore - /{usr/,}bin/bash rmix, - -+ /run/nscd/passwd r, -+ /run/nscd/group r, -+ - # for usb access - /dev/bus/usb/ r, - /etc/udev/udev.conf r, diff --git a/apparmor-no-mount.patch b/apparmor-no-mount.patch index 67e03d6..5614ea4 100644 --- a/apparmor-no-mount.patch +++ b/apparmor-no-mount.patch @@ -2,15 +2,12 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-lxc =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-lxc +++ libvirt-3.7.0/examples/apparmor/libvirt-lxc -@@ -2,42 +2,19 @@ +@@ -2,39 +2,15 @@ #include - umount, - dbus, - signal, - ptrace, - +- - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - diff --git a/apparmor-ptrace-support.patch b/apparmor-ptrace-support.patch deleted file mode 100644 index 6e8a3bf..0000000 --- a/apparmor-ptrace-support.patch +++ /dev/null @@ -1,88 +0,0 @@ -commit e3bb609812776b30acfc0349b25b2e4d539c45c2 -Author: Jim Fehlig -Date: Mon Sep 18 13:41:26 2017 -0600 - - apparmor: support ptrace checks - - Kernel 4.13 introduced finer-grained ptrace checks - - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 - - When Apparmor is enabled and libvirtd is confined, attempting to start - a domain fails - - virsh start test - error: Failed to start domain test - error: internal error: child reported: Kernel does not provide mount - namespace: Permission denied - - The audit log contains - - type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" - operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 - comm="libvirtd" requested_mask="trace" denied_mask="trace" - peer="/usr/sbin/libvirtd" - - It was also noticed that simply connecting to libvirtd (e.g. virsh list) - resulted in the following entries in the audit log - - type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" - operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 - comm="libvirtd" requested_mask="trace" denied_mask="trace" - peer="unconfined" - type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" - operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 - comm="libvirtd" requested_mask="trace" denied_mask="trace" - peer="unconfined" - - Both Apparmor denials can be fixed by supporting ptrace in the - libvirtd, qemu, and lxc profiles. While at it, also add support - for dbus, signal, and unix. - - Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 - -diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc -index 4bfb503aa..0db137de0 100644 ---- a/examples/apparmor/libvirt-lxc -+++ b/examples/apparmor/libvirt-lxc -@@ -3,6 +3,9 @@ - #include - - umount, -+ dbus, -+ signal, -+ ptrace, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, -diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu -index dcfb1a598..6a4a2335a 100644 ---- a/examples/apparmor/libvirt-qemu -+++ b/examples/apparmor/libvirt-qemu -@@ -170,6 +170,9 @@ - @{PROC}/device-tree/** r, - /sys/firmware/devicetree/** r, - -+ signal (receive) peer=/usr/sbin/libvirtd, -+ ptrace (tracedby) peer=/usr/sbin/libvirtd, -+ - # for gathering information about available host resources - /sys/devices/system/cpu/ r, - /sys/devices/system/node/ r, -diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd -index acb59e071..9aadba411 100644 ---- a/examples/apparmor/usr.sbin.libvirtd -+++ b/examples/apparmor/usr.sbin.libvirtd -@@ -36,6 +36,12 @@ - network inet6 dgram, - network packet dgram, - network packet raw, -+ network netlink, -+ -+ dbus bus=system, -+ signal, -+ ptrace, -+ unix, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. diff --git a/b482925c-apparmor-ptrace-support.patch b/b482925c-apparmor-ptrace-support.patch new file mode 100644 index 0000000..6a1c851 --- /dev/null +++ b/b482925c-apparmor-ptrace-support.patch @@ -0,0 +1,61 @@ +commit b482925c2277e906542faea52ef587a5c0aa1f5f +Author: Jim Fehlig +Date: Fri Sep 22 17:02:42 2017 -0600 + + apparmor: support ptrace checks + + Kernel 4.13 introduced finer-grained ptrace checks + + https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 + + With kernel 4.13 and apparmor 2.11, simply starting libvirtd + results in the following apparmor denial + + type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="unconfined" + + Attempting to start an unconfined domain results in + + type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="/usr/sbin/libvirtd" + + And attempting to start a confined domain results in + + type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" + operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" + pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r" + fsuid=0 ouid=0 + type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" + operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" + pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r" + fsuid=0 ouid=0 + type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" + operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 + comm="libvirtd" requested_mask="trace" denied_mask="trace" + peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" + + Add ptrace rules to allow the trace operations. + + Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 + Signed-off-by: Jim Fehlig + Reviewed-by: Guido Günther + +Index: libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd +=================================================================== +--- libvirt-3.7.0.orig/examples/apparmor/usr.sbin.libvirtd ++++ libvirt-3.7.0/examples/apparmor/usr.sbin.libvirtd +@@ -37,6 +37,10 @@ + network packet dgram, + network packet raw, + ++ ptrace (trace) peer=unconfined, ++ ptrace (trace) peer=/usr/sbin/libvirtd, ++ ptrace (trace) peer=libvirt-*, ++ + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, diff --git a/f305d8a1-apparmor-attach_disconnected.patch b/f305d8a1-apparmor-attach_disconnected.patch new file mode 100644 index 0000000..3609878 --- /dev/null +++ b/f305d8a1-apparmor-attach_disconnected.patch @@ -0,0 +1,39 @@ +commit f305d8a191941d1ea6e036ae9fc02a3164b3e746 +Author: Guido Günther +Date: Fri Sep 15 17:13:16 2017 +0200 + + apparmor: add attach_disconnected + + Otherwise we fail to reconnect to /dev/net/tun opened by libvirtd + like + + [ 8144.507756] audit: type=1400 audit(1505488162.386:38069121): apparmor="DENIED" operation="file_perm" info="Failed name lookup - disconnected path" error=-13 profile="libvirt-5dfcc8a7-b79a-4fa9-a41f-f6271651934c" name="dev/net/tun" pid=9607 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=117 ouid=0 + + Reviewed-By: Jamie Strandboge + Acked-By: Michal Privoznik + +Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc +=================================================================== +--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.lxc ++++ libvirt-3.7.0/examples/apparmor/TEMPLATE.lxc +@@ -4,7 +4,7 @@ + + #include + +-profile LIBVIRT_TEMPLATE { ++profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include + + # Globally allows everything to run under this profile +Index: libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu +=================================================================== +--- libvirt-3.7.0.orig/examples/apparmor/TEMPLATE.qemu ++++ libvirt-3.7.0/examples/apparmor/TEMPLATE.qemu +@@ -4,6 +4,6 @@ + + #include + +-profile LIBVIRT_TEMPLATE { ++profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include + } diff --git a/libvirt.changes b/libvirt.changes index 40d8206..e6d742c 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Tue Sep 26 22:38:42 UTC 2017 - jfehlig@suse.com + +- apparmor: Add rules for kernel 4.13 ptrace checks + b482925c-apparmor-ptrace-support.patch + Drop temporary workaround apparmor-ptrace-support.patch + bsc#1058847 +- apparmor: Add rules for denial encountered when starting + confined domains + f305d8a1-apparmor-attach_disconnected.patch, + suse-apparmor-libnl-paths.patch + Drop old, useless, undocumented apparmor-fixes.patch + ------------------------------------------------------------------- Wed Sep 20 16:28:46 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index 1423d11..130cc31 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -307,10 +307,11 @@ Source100: %{name}-rpmlintrc Patch0: 92bd87a2-ryzen-test-data.patch Patch1: 5c83b360-epyc-test-data.patch Patch2: a0b62843-epyc-cpu-model.patch +Patch3: f305d8a1-apparmor-attach_disconnected.patch +Patch4: b482925c-apparmor-ptrace-support.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch -Patch102: apparmor-ptrace-support.patch # Need to go upstream Patch150: xen-pv-cdrom.patch Patch151: blockcopy-check-dst-identical-device.patch @@ -318,7 +319,6 @@ Patch152: libvirt-power8-models.patch Patch153: ppc64le-canonical-name.patch Patch154: libxl-set-migration-constraints.patch Patch155: libxl-set-cach-mode.patch -Patch156: apparmor-fixes.patch # Our patches Patch200: suse-libvirtd-disable-tls.patch Patch201: suse-libvirtd-sysconfig-settings.patch @@ -328,14 +328,15 @@ Patch204: suse-virtlogd-sysconfig-settings.patch Patch205: suse-libvirtd-service-xen.patch Patch206: suse-qemu-conf.patch Patch207: suse-ovmf-paths.patch -Patch208: support-managed-pci-xen-driver.patch -Patch209: xen-sxpr-disk-type.patch -Patch210: libxl-support-block-script.patch -Patch211: apparmor-no-mount.patch -Patch212: qemu-apparmor-screenshot.patch -Patch213: libvirt-suse-netcontrol.patch -Patch214: lxc-wait-after-eth-del.patch -Patch215: libxl-qemu-emulator-caps.patch +Patch208: suse-apparmor-libnl-paths.patch +Patch209: support-managed-pci-xen-driver.patch +Patch210: xen-sxpr-disk-type.patch +Patch211: libxl-support-block-script.patch +Patch212: apparmor-no-mount.patch +Patch213: qemu-apparmor-screenshot.patch +Patch214: libvirt-suse-netcontrol.patch +Patch215: lxc-wait-after-eth-del.patch +Patch216: libxl-qemu-emulator-caps.patch # SLES-Only patches %if %{with_sle_build} Patch400: virt-create-rootfs.patch @@ -876,16 +877,16 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch100 -p1 %patch101 -p1 -%patch102 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 %patch153 -p1 %patch154 -p1 %patch155 -p1 -%patch156 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 @@ -902,6 +903,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %patch213 -p1 %patch214 -p1 %patch215 -p1 +%patch216 -p1 %if %{with_sle_build} %patch400 -p1 %endif diff --git a/qemu-apparmor-screenshot.patch b/qemu-apparmor-screenshot.patch index 83c9272..9057de6 100644 --- a/qemu-apparmor-screenshot.patch +++ b/qemu-apparmor-screenshot.patch @@ -2,7 +2,7 @@ Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu =================================================================== --- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu +++ libvirt-3.7.0/examples/apparmor/libvirt-qemu -@@ -181,3 +181,6 @@ +@@ -176,3 +176,6 @@ /sys/devices/system/node/ r, /sys/devices/system/node/node[0-9]*/meminfo r, /sys/module/vhost/parameters/max_mem_regions r, diff --git a/suse-apparmor-libnl-paths.patch b/suse-apparmor-libnl-paths.patch new file mode 100644 index 0000000..ba94fb5 --- /dev/null +++ b/suse-apparmor-libnl-paths.patch @@ -0,0 +1,35 @@ +Apparmor: Adjust libnl paths + +In SUSE distros, libnl paths generally contain only 'libnl', and +not an embedded version number such as 'libnl-3'. Use 'libnl*' in +the virt-aa-helper profile to accommodate all libnl path variants. + +It was also noticed that the per-domain profiles need a libnl rule +to squelch a denial when starting confined domains. + +Found while investigating bsc#1058847 +Index: libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper +=================================================================== +--- libvirt-3.7.0.orig/examples/apparmor/usr.lib.libvirt.virt-aa-helper ++++ libvirt-3.7.0/examples/apparmor/usr.lib.libvirt.virt-aa-helper +@@ -16,7 +16,7 @@ profile virt-aa-helper /usr/{lib,lib64}/ + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + +- /etc/libnl-3/classid r, ++ /etc/libnl*/classid r, + + # for hostdev + /sys/devices/ r, +Index: libvirt-3.7.0/examples/apparmor/libvirt-qemu +=================================================================== +--- libvirt-3.7.0.orig/examples/apparmor/libvirt-qemu ++++ libvirt-3.7.0/examples/apparmor/libvirt-qemu +@@ -50,6 +50,7 @@ + #/dev/fb* rw, + + /etc/pulse/client.conf r, ++ /etc/libnl*/classid r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw,