rpm/libvirt
SHA256
1
0
Fork 0
forked from pool/libvirt
Code Pull Requests Activity
267982bde3
libvirt/0d05d51b-apparmor-lxc-fix.patch
James Fehlig 0b3a0a1f93 - apparmor: Allow lxc processes to receive signals from libvirt 
lxc: Set default security model in XML parser config
  0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch
  bsc#1179735

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=863
2020-12-07 23:13:45 +00:00

41 lines
1.5 KiB
Diff
Raw Blame History

commit 0d05d51b715390e08cd112f83e03b6776412aaeb
Author: Jim Fehlig <jfehlig@suse.com>
Date: Wed Dec 2 16:24:21 2020 -0700
apparmor: Allow lxc processes to receive signals from libvirt
LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails
virsh --connect lxc:/// destroy distro_apparmor
error: Failed to destroy domain distro_apparmor
error: Failed to kill process 29491: Permission denied
And from /var/log/audit/audit.log
type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"
Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc
===================================================================
--- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc
@@ -1,5 +1,9 @@
#include <abstractions/base>
+ # Allow receiving signals from libvirtd
+ signal (receive) peer=libvirtd,
+ signal (receive) peer=/usr/sbin/libvirtd,
+
umount,
# ignore DENIED message on / remount
View Git Blame Copy Permalink