[libvirt] [PATCH] AppArmor: Allow libvirtd to kill unconfined processes

13 Jan 2018

From: intrigeri <intrigeri+libvirt@boum.org>

On startup libvirtd runs a number of QEMU processes unconfined such as:

  /usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize

libvirtd needs to be allowed to kill these processes, otherwise they
remain running.
---
 examples/apparmor/usr.sbin.libvirtd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index a1083b0410..0ddec3f6e2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -63,6 +63,7 @@
 
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,
+  signal (send) set=("kill") peer=unconfined,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
-- 
2.15.1

    

intrigeri+libvirt＠boum.org

Christian Ehrhardt

intrigeri

Guido Günther

tags

participants (4)