Re: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
On 3/2/19 7:20 AM, Jamie Strandboge wrote:
On Fri, 01 Mar 2019, Jim Fehlig wrote:
> Commit a3ab6d42 changed the libvirtd profile to a named profile
> but neglected to accommodate the change in the qemu profile
> ptrace and signal rules. As a result, libvirtd is unable to
> signal confined qemu processes and hence unable to shutdown
> or destroy VMs.
>
> Add ptrace and signal rules that reference the libvirtd profile
> by name in addition to full binary path.
>
> Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
> ---
> src/security/apparmor/libvirt-qemu | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 7d28faa163..474aaefdf8 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -16,8 +16,10 @@
> network inet stream,
> network inet6 stream,
>
> + ptrace (readby, tracedby) peer=libvirtd,
> ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>
> + signal (receive) peer=libvirtd,
> signal (receive) peer=/usr/sbin/libvirtd,
>
> /dev/net/tun rw,
+1 to commit
Thanks! Any comment on 1/2? It fixes the rather nasty bug of libvirtd not
starting when apparmor driver is explicitly enabled in qemu.conf.
Regards,
Jim