Re: [libvirt] [PATCH] apparmor: fix ptrace rules with kernel 4.18

Friday, 24 August 2018

On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote:
...
 Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace
read
 check")
 libvirt now hits apparmor denies like:
   apparmor="DENIED" operation="ptrace"
profile="/usr/sbin/libvirtd"
   pid=4409 comm="libvirtd" requested_mask="read"
denied_mask="read"
   peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"

 Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to
 work
 with these newer kernels.

 Fixes: https://bugs.launchpad.net/bugs/1788603

 Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical
 .com>
 Signed-off-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com&gt;
 ---
  examples/apparmor/usr.sbin.libvirtd | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 diff --git a/examples/apparmor/usr.sbin.libvirtd
 b/examples/apparmor/usr.sbin.libvirtd
 index 80e348b7ee..f0ffc53008 100644
 --- a/examples/apparmor/usr.sbin.libvirtd
 +++ b/examples/apparmor/usr.sbin.libvirtd
 @@ -50,10 +50,10 @@
    # for --p2p migrations
    unix (send, receive) type=stream addr=none peer=(label=unconfined
 addr=none),

 -  ptrace (trace) peer=unconfined,
 -  ptrace (trace) peer=/usr/sbin/libvirtd,
 -  ptrace (trace) peer=/usr/sbin/dnsmasq,
 -  ptrace (trace) peer=libvirt-*,
 +  ptrace (read,trace) peer=unconfined,
 +  ptrace (read,trace) peer=/usr/sbin/libvirtd,
 +  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
 +  ptrace (read,trace) peer=libvirt-*, 
LGTM. +1 to apply

-- 
Jamie Strandboge             | http://www.canonical.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH] apparmor: fix ptrace rules with kernel 4.18