[libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile

Guido Günther agx at sigxcpu.org
Fri Oct 6 22:04:23 UTC 2017 

Hi,
On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
> Commit b482925c added ptrace rule for the apparmor profiles,
> but one was missed in the libvirtd profile for dnsmasq. It was
> overlooked since the test machine did not have an active libvirt
> network requiring dnsmasq that was also set to autostart. With
> one active and set to autostart, the following denial is observed
> in audit.log when restarting libvirtd
> 
> type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
> comm="libvirtd" requested_mask="trace" denied_mask="trace" \
> peer="/usr/sbin/dnsmasq"
> 
> With an active network, I suspect a libvirtd restart causes access
> to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
> side affect of the denial, libvirtd thinks it needs to spawn a
> dnsmasq process even though one is already running for the network.
> E.g. after two libvirtd restarts
> 
> dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> 
> A simple fix is to add a ptrace rule for dnsmasq.
> 
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
>  examples/apparmor/usr.sbin.libvirtd | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index fa4ebb355..819068ffc 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -39,6 +39,7 @@
>  
>    ptrace (trace) peer=unconfined,
>    ptrace (trace) peer=/usr/sbin/libvirtd,
> +  ptrace (trace) peer=/usr/sbin/dnsmasq,
>    ptrace (trace) peer=libvirt-*,
>  
>    # Very lenient profile for libvirtd since we want to first focus on
>    confining

Reviewed-By: Guido Günther <agx at sigxcpu.org>


> -- 
> 2.14.1
>

More information about the libvir-list mailing list