Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

On 09/22/2017 03:25 PM, Jamie Strandboge wrote: > On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote: >> >> Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles, >> simply >> starting libvirtd results in the following denial >> >> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace" >> profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace" >> denied_mask="trace" peer="unconfined" >> >> Adding 'ptrace (trace) peer=unconfined,' allows starting libvirtd with no >> denials. But this rule is not enough to start unconfined domains, where I see >> the following denial > > This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course). > I'm curious what libvirtd is trying to trace... > >> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace" >> profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace" >> denied_mask="trace" peer="/usr/sbin/libvirtd" >> >> Adding 'ptrace (trace) peer=/usr/sbin/libvirtd,' allows starting unconfined >> domains. But this is still not enough to start confined domains, where I see >> the >> following denials > > This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course). > I suspect this is for libvirtd tracing things it launches. > >> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open" >> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283 >> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 >> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open" >> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289 >> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 >> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace" >> profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace" >> denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" >> >> Finally, adding 'ptrace (trace) peer=(label=@{profile_name}),' allows >> starting >> confined domains. >> > This rule isn't right and doesn't parse (apparmor 2.11.0): > > $ apparmor_parser -QTK ./apparmor.profile > AppArmor parser error for ./apparmor.profile in ./apparmor.profile at line 6: > syntax error, unexpected TOK_CONDLISTID, expecting TOK_CONDID or TOK_END_OF_RULE > > I suspect you intended: > >    ptrace (trace) peer=@{profile_name}, Yes, this is what I have on the test system, where I've been editing the profiles directly. I'm at a loss to explain why it works. I.e. why I can start confined domains with the rule, but can't without it.