Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

Hi Jim, On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote: > Kernel 4.13 introduced finer-grained ptrace checks > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/c... > > With kernel 4.13 and apparmor 2.11, simply starting libvirtd > results in the following apparmor denial > > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="unconfined" > > Attempting to start an unconfined domain results in > > type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="/usr/sbin/libvirtd" > > And attempting to start a confined domain results in > > type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" > pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r" > fsuid=0 ouid=0 > type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid" > pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r" > fsuid=0 ouid=0 > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff" > > Add ptrace rules to allow the trace operations. > > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > --- > > V3: > fix ptrace rule for per-domain profiles > > V2: > restrict ptrace permissions > drop support for dbus, signal, and unix > > examples/apparmor/usr.sbin.libvirtd | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd > index acb59e071..fa4ebb355 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -37,6 +37,10 @@ > network packet dgram, > network packet raw, > > + ptrace (trace) peer=unconfined, > + ptrace (trace) peer=/usr/sbin/libvirtd, > + ptrace (trace) peer=libvirt-*, > + This works here too! And I can even drop the first rule (ptrace (trace) peer=unconfined) and things still work (and from reading the profile and Jamies explanations it should work without it). Can you check if that works for you too? Otherwise: Reviewed-By: Guido Günther <agx(a)sigxcpu.org&gt;

> # Very lenient profile for libvirtd since we want to first focus on confining > # the guests. Guests will have a very restricted profile. > / r, > -- > 2.14.1 > -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list