Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks
On 09/20/2017 08:57 AM, Jim Fehlig wrote:
On 09/20/2017 12:51 AM, Guido Günther wrote:
> Hi Jim,
> On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
>> Kernel 4.13 introduced finer-grained ptrace checks
>>
>>
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/c...
>>
>>
>> When Apparmor is enabled and libvirtd is confined, attempting to start
>> a domain fails
>>
>> virsh start test
>> error: Failed to start domain test
>> error: internal error: child reported: Kernel does not provide mount
>> namespace: Permission denied
>>
>> The audit log contains
>>
>> type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
>> comm="libvirtd" requested_mask="trace"
denied_mask="trace"
>> peer="/usr/sbin/libvirtd"
>
> It seems access to /proc/<pid>/tasks already requires trace permissions.
>
>>
>> It was also noticed that simply connecting to libvirtd (e.g. virsh list)
>> resulted in the following entries in the audit log
>>
>> type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
>> comm="libvirtd" requested_mask="trace"
denied_mask="trace"
>> peer="unconfined"
>> type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
>> comm="libvirtd" requested_mask="trace"
denied_mask="trace"
>> peer="unconfined"
>>
>> Both Apparmor denials can be fixed by adding ptrace rules to the
>> libvirtd profile. The new rules only grant trace permission.
>
> I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in
> Debian) but the proposed profile change does not fix the vm start issue
> for me. I can't tell why atm, will have to look into this in more detail
> at the WE.
I have other problems when running with 'security_default_confined = 1' in
qemu.conf, but the changes allow starting unconfined domains.
Cedric remembered this old thread
https://www.redhat.com/archives/libvir-list/2014-October/msg00011.html
Some of those changes have been merged, but the ptrace, dbus, signal, etc. have
not. I used Stefan's changes to the libvirtd profile but still see the same
issue with confined domains
I dug a bit further in that thread to find Stefan's most recent version of the
patches
https://www.redhat.com/archives/libvir-list/2014-October/msg00556.html
I took the ptrace, dbus, signal, etc. changes out of patch 2 and used the
attached patch to successfully start confined domains.
Since a few years have passed, I'm not sure if patch 1 is still relevant. IIUC,
it allows to conditionalize profile content based on apparmor version, which
patch 2 uses to add some stuff if version >= 2.9. 2.9 has been out for a while...
Attachments:
- 0001-apparmor-support-ptrace-checks.patch (text/x-patch — 3.1 KB)