[libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile
Commit b482925c added ptrace rule for the apparmor profiles, but one was missed in the libvirtd profile for dnsmasq. It was overlooked since the test machine did not have an active libvirt network requiring dnsmasq that was also set to autostart. With one active and set to autostart, the following denial is observed in audit.log when restarting libvirtd type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \ operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \ comm="libvirtd" requested_mask="trace" denied_mask="trace" \ peer="/usr/sbin/dnsmasq" With an active network, I suspect a libvirtd restart causes access to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty side affect of the denial, libvirtd thinks it needs to spawn a dnsmasq process even though one is already running for the network. E.g. after two libvirtd restarts dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper A simple fix is to add a ptrace rule for dnsmasq. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fa4ebb355..819068ffc 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -39,6 +39,7 @@ ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, + ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*, # Very lenient profile for libvirtd since we want to first focus on confining -- 2.14.1
Hi, On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
Commit b482925c added ptrace rule for the apparmor profiles, but one was missed in the libvirtd profile for dnsmasq. It was overlooked since the test machine did not have an active libvirt network requiring dnsmasq that was also set to autostart. With one active and set to autostart, the following denial is observed in audit.log when restarting libvirtd
type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \ operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \ comm="libvirtd" requested_mask="trace" denied_mask="trace" \ peer="/usr/sbin/dnsmasq"
With an active network, I suspect a libvirtd restart causes access to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty side affect of the denial, libvirtd thinks it needs to spawn a dnsmasq process even though one is already running for the network. E.g. after two libvirtd restarts
dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
A simple fix is to add a ptrace rule for dnsmasq.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fa4ebb355..819068ffc 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -39,6 +39,7 @@
ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, + ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*,
# Very lenient profile for libvirtd since we want to first focus on confining
Reviewed-By: Guido Günther <agx@sigxcpu.org>
-- 2.14.1
On 10/06/2017 04:04 PM, Guido Günther wrote:
Hi, On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
Commit b482925c added ptrace rule for the apparmor profiles, but one was missed in the libvirtd profile for dnsmasq. It was overlooked since the test machine did not have an active libvirt network requiring dnsmasq that was also set to autostart. With one active and set to autostart, the following denial is observed in audit.log when restarting libvirtd
type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \ operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \ comm="libvirtd" requested_mask="trace" denied_mask="trace" \ peer="/usr/sbin/dnsmasq"
With an active network, I suspect a libvirtd restart causes access to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty side affect of the denial, libvirtd thinks it needs to spawn a dnsmasq process even though one is already running for the network. E.g. after two libvirtd restarts
dnsmasq 1683 0.0 0.0 51188 2612 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 1684 0.0 0.0 51160 576 ? S 12:03 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4706 0.0 0.0 51188 2572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4707 0.0 0.0 51160 572 ? S 13:54 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper dnsmasq 4791 0.0 0.0 51188 2580 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper root 4792 0.0 0.0 51160 572 ? S 13:56 0:00 \ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \ --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
A simple fix is to add a ptrace rule for dnsmasq.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- examples/apparmor/usr.sbin.libvirtd | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fa4ebb355..819068ffc 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -39,6 +39,7 @@
ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, + ptrace (trace) peer=/usr/sbin/dnsmasq, ptrace (trace) peer=libvirt-*,
# Very lenient profile for libvirtd since we want to first focus on confining
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Thanks, pushed. Regards, Jim
participants (2)
-
Guido Günther -
Jim Fehlig