Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/c...
When Apparmor is enabled and libvirtd is confined, attempting to start
a domain fails
virsh start test
error: Failed to start domain test
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
The audit log contains
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
It was also noticed that simply connecting to libvirtd (e.g. virsh list)
resulted in the following entries in the audit log
type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Both Apparmor denials can be fixed by adding ptrace rules to the
libvirtd profile. The new rules only grant trace permission.
Resolves:
https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
Even with debug enabled in libvirtd, I've had a hard time correlating a
libvirtd action that results in the denied ptrace check seen in the audit
log. I suspect it is related to accessing files in /proc as mentioned in
the apparmor wiki
http://wiki.apparmor.net/index.php/TechnicalDo_Proc_and_ptrace
cc'ing some of the usual apparmor suspects for any words of wisdom.
examples/apparmor/usr.sbin.libvirtd | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index acb59e071..ff84aa149 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
network packet dgram,
network packet raw,
+ # Support finer-grained ptrace checks, which were enabled in kernel 4.13
+ ptrace trace peer=/usr/sbin/libvirtd,
+ ptrace trace peer=unconfined,
+
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
/ r,
--
2.14.1