[libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined
Otherwise stopping domains with qemu://session fails like [164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined" --- examples/apparmor/usr.sbin.libvirtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 0ddec3f6e2..be4fabf905 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. -- 2.15.1
On 01/17/2018 08:34 AM, Guido Günther wrote:
Otherwise stopping domains with qemu://session fails like
[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined" --- examples/apparmor/usr.sbin.libvirtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 0ddec3f6e2..be4fabf905 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@
signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
Is "hup" needed here as well? Regards, Jim
On Mon, Jan 22, 2018 at 10:25:38AM -0700, Jim Fehlig wrote:
On 01/17/2018 08:34 AM, Guido Günther wrote:
Otherwise stopping domains with qemu://session fails like
[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined" --- examples/apparmor/usr.sbin.libvirtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index 0ddec3f6e2..be4fabf905 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
Is "hup" needed here as well?
Shouldn't be, libvirt starts by using 'term' to kill QEMU and if that doesn't work, falls back to "kill". It shouldn't ever use "hup" Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Hi, Guido Günther:
--- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@
signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
+1 Reviewed-by: intrigeri@boum.org Cheers, -- intrigeri
On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
Hi,
Guido Günther:
--- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
LGTM too. +1 to apply. -- Jamie Strandboge | http://www.canonical.com
On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
Hi,
Guido Günther:
--- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
LGTM too. +1 to apply.
2 x +1 1x resolved Discussion IMHO nothing should block this from being committed - so ping? +1 from me as well btw -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
On 02/06/2018 03:54 PM, Christian Ehrhardt wrote:
On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
Hi,
Guido Günther:
--- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
LGTM too. +1 to apply.
2 x +1 1x resolved Discussion
IMHO nothing should block this from being committed - so ping?
+1 from me as well btw
I've just pushed this. BTW: haven't DV granted commit access to somebody just recently so that they can push these apparmor patches? Michal
On Tue, Feb 6, 2018 at 5:28 PM, Michal Privoznik <mprivozn@redhat.com> wrote:
On 02/06/2018 03:54 PM, Christian Ehrhardt wrote:
On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
Hi,
Guido Günther:
--- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -63,7 +63,7 @@ signal (send) peer=/usr/sbin/dnsmasq, signal (read, send) peer=libvirt-*, - signal (send) set=("kill") peer=unconfined, + signal (send) set=("kill", "term") peer=unconfined,
LGTM too. +1 to apply.
2 x +1 1x resolved Discussion
IMHO nothing should block this from being committed - so ping?
+1 from me as well btw
I've just pushed this.
Thanks.
BTW: haven't DV granted commit access to somebody just recently so that they can push these apparmor patches?
There were IRC discussions to get me commit access, but none with the permissions was around at the time. except for the unlikely case that all of the rest happened without me knowing about it, it is not me :-) If it was someone else, I'd be pleased to know who so we can CC him/her on such changes. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
On Tue, Feb 06, 2018 at 05:37:37PM +0100, Christian Ehrhardt wrote:
On Tue, Feb 6, 2018 at 5:28 PM, Michal Privoznik <mprivozn@redhat.com> wrote:
BTW: haven't DV granted commit access to somebody just recently so that they can push these apparmor patches?
There were IRC discussions to get me commit access, but none with the permissions was around at the time. except for the unlikely case that all of the rest happened without me knowing about it, it is not me :-) If it was someone else, I'd be pleased to know who so we can CC him/her on such changes.
I'm happy to give you push access, since we don't have anyone active who represents Ubuntu right now - just Guido for Debian - and you've had a reasonable number of patches coming up for review. Just mail me off-list, with your SSH public key and preferred UNIX username Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (8)
-
Christian Ehrhardt -
Daniel P. Berrange -
Daniel P. Berrangé
-
Guido Günther -
intrigeri -
Jamie Strandboge -
Jim Fehlig -
Michal Privoznik