On 09/20/2017 12:51 AM, Guido Günther wrote:
Hi Jim, On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
Kernel 4.13 introduced finer-grained ptrace checks
When Apparmor is enabled and libvirtd is confined, attempting to start a domain fails
virsh start test error: Failed to start domain test error: internal error: child reported: Kernel does not provide mount namespace: Permission denied
The audit log contains
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="/usr/sbin/libvirtd"
It seems access to /proc/<pid>/tasks already requires trace permissions.
It was also noticed that simply connecting to libvirtd (e.g. virsh list) resulted in the following entries in the audit log
type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined" type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Both Apparmor denials can be fixed by adding ptrace rules to the libvirtd profile. The new rules only grant trace permission.
I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in Debian) but the proposed profile change does not fix the vm start issue for me. I can't tell why atm, will have to look into this in more detail at the WE.
I have other problems when running with 'security_default_confined = 1' in qemu.conf, but the changes allow starting unconfined domains. Cedric remembered this old thread https://www.redhat.com/archives/libvir-list/2014-October/msg00011.html Some of those changes have been merged, but the ptrace, dbus, signal, etc. have not. I used Stefan's changes to the libvirtd profile but still see the same issue with confined domains type=AVC msg=audit(1505858407.661:123): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/sbin/libvirtd" name="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" pid=3149 comm="libvirtd"