diff --git a/c44b29aa-apparmor-dnsmasq-ptrace.patch b/c44b29aa-apparmor-dnsmasq-ptrace.patch new file mode 100644 index 0000000..125077a --- /dev/null +++ b/c44b29aa-apparmor-dnsmasq-ptrace.patch @@ -0,0 +1,60 @@ +commit c44b29aacb6a3f445ab06d61899a0308b9d6d0d3 +Author: Jim Fehlig +Date: Fri Oct 6 14:20:36 2017 -0600 + + apparmor: add dnsmasq ptrace rule to libvirtd profile + + Commit b482925c added ptrace rule for the apparmor profiles, + but one was missed in the libvirtd profile for dnsmasq. It was + overlooked since the test machine did not have an active libvirt + network requiring dnsmasq that was also set to autostart. With + one active and set to autostart, the following denial is observed + in audit.log when restarting libvirtd + + type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \ + operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \ + comm="libvirtd" requested_mask="trace" denied_mask="trace" \ + peer="/usr/sbin/dnsmasq" + + With an active network, I suspect a libvirtd restart causes access + to /proc//*, hence the resulting denial. As a nasty + side affect of the denial, libvirtd thinks it needs to spawn a + dnsmasq process even though one is already running for the network. + E.g. after two libvirtd restarts + + dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \ + /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ + --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper + + A simple fix is to add a ptrace rule for dnsmasq. + + Signed-off-by: Jim Fehlig + Reviewed-By: Guido Günther + +Index: libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd +=================================================================== +--- libvirt-3.8.0.orig/examples/apparmor/usr.sbin.libvirtd ++++ libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd +@@ -39,6 +39,7 @@ + + ptrace (trace) peer=unconfined, + ptrace (trace) peer=/usr/sbin/libvirtd, ++ ptrace (trace) peer=/usr/sbin/dnsmasq, + ptrace (trace) peer=libvirt-*, + + # Very lenient profile for libvirtd since we want to first focus on confining diff --git a/libvirt.changes b/libvirt.changes index 33d9cfb..2a70c4f 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Oct 6 22:46:12 UTC 2017 - jfehlig@suse.com + +- apparmor: add dnsmasq ptrace rule to libvirtd profile + c44b29aa-apparmor-dnsmasq-ptrace.patch + bsc#1060860 + ------------------------------------------------------------------- Thu Oct 5 15:19:24 UTC 2017 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index e100e50..416618e 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -309,6 +309,7 @@ Source4: libvirt-supportconfig Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: c44b29aa-apparmor-dnsmasq-ptrace.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -882,6 +883,7 @@ libvirt plugin for NSS for translating domain names into IP addresses. %prep %setup -q +%patch0 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1