Re: [libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Hi Jim, On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote: > Kernel 4.13 introduced finer-grained ptrace checks > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/c... > > When Apparmor is enabled and libvirtd is confined, attempting to start > a domain fails > > virsh start test > error: Failed to start domain test > error: internal error: child reported: Kernel does not provide mount > namespace: Permission denied > > The audit log contains > > type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="/usr/sbin/libvirtd" It seems access to /proc/<pid>/tasks already requires trace permissions. > > It was also noticed that simply connecting to libvirtd (e.g. virsh list) > resulted in the following entries in the audit log > > type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="unconfined" > type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="unconfined" > > Both Apparmor denials can be fixed by adding ptrace rules to the > libvirtd profile. The new rules only grant trace permission. I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in Debian) but the proposed profile change does not fix the vm start issue for me. I can't tell why atm, will have to look into this in more detail at the WE.