forked from pool/libvirt
de19f2680c
Incremental update of the libvirt package to fix bsc#1060860. - apparmor: add dnsmasq ptrace rule to libvirtd profile c44b29aa-apparmor-dnsmasq-ptrace.patch bsc#1060860 OBS-URL: https://build.opensuse.org/request/show/532350 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=627
61 lines
3.0 KiB
Diff
61 lines
3.0 KiB
Diff
commit c44b29aacb6a3f445ab06d61899a0308b9d6d0d3
|
|
Author: Jim Fehlig <jfehlig@suse.com>
|
|
Date: Fri Oct 6 14:20:36 2017 -0600
|
|
|
|
apparmor: add dnsmasq ptrace rule to libvirtd profile
|
|
|
|
Commit b482925c added ptrace rule for the apparmor profiles,
|
|
but one was missed in the libvirtd profile for dnsmasq. It was
|
|
overlooked since the test machine did not have an active libvirt
|
|
network requiring dnsmasq that was also set to autostart. With
|
|
one active and set to autostart, the following denial is observed
|
|
in audit.log when restarting libvirtd
|
|
|
|
type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
|
|
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
|
|
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
|
|
peer="/usr/sbin/dnsmasq"
|
|
|
|
With an active network, I suspect a libvirtd restart causes access
|
|
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
|
|
side affect of the denial, libvirtd thinks it needs to spawn a
|
|
dnsmasq process even though one is already running for the network.
|
|
E.g. after two libvirtd restarts
|
|
|
|
dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \
|
|
/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
|
|
--leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
|
|
|
|
A simple fix is to add a ptrace rule for dnsmasq.
|
|
|
|
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
|
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
|
|
|
Index: libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
|
|
===================================================================
|
|
--- libvirt-3.8.0.orig/examples/apparmor/usr.sbin.libvirtd
|
|
+++ libvirt-3.8.0/examples/apparmor/usr.sbin.libvirtd
|
|
@@ -39,6 +39,7 @@
|
|
|
|
ptrace (trace) peer=unconfined,
|
|
ptrace (trace) peer=/usr/sbin/libvirtd,
|
|
+ ptrace (trace) peer=/usr/sbin/dnsmasq,
|
|
ptrace (trace) peer=libvirt-*,
|
|
|
|
# Very lenient profile for libvirtd since we want to first focus on confining
|