[libvirt] [PATCH] apparmor: support finer-grained ptrace checks
Guido Günther
agx at sigxcpu.org
Wed Sep 20 06:51:08 UTC 2017
Hi Jim,
On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
> Kernel 4.13 introduced finer-grained ptrace checks
>
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
>
> When Apparmor is enabled and libvirtd is confined, attempting to start
> a domain fails
>
> virsh start test
> error: Failed to start domain test
> error: internal error: child reported: Kernel does not provide mount
> namespace: Permission denied
>
> The audit log contains
>
> type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="/usr/sbin/libvirtd"
It seems access to /proc/<pid>/tasks already requires trace permissions.
>
> It was also noticed that simply connecting to libvirtd (e.g. virsh list)
> resulted in the following entries in the audit log
>
> type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
> type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
>
> Both Apparmor denials can be fixed by adding ptrace rules to the
> libvirtd profile. The new rules only grant trace permission.
I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in
Debian) but the proposed profile change does not fix the vm start issue
for me. I can't tell why atm, will have to look into this in more detail
at the WE.
>
> Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
>
> Even with debug enabled in libvirtd, I've had a hard time correlating a
> libvirtd action that results in the denied ptrace check seen in the audit
> log. I suspect it is related to accessing files in /proc as mentioned in
> the apparmor wiki
>
> http://wiki.apparmor.net/index.php/TechnicalDo_Proc_and_ptrace
>
> cc'ing some of the usual apparmor suspects for any words of wisdom.
>
> examples/apparmor/usr.sbin.libvirtd | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index acb59e071..ff84aa149 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -37,6 +37,10 @@
> network packet dgram,
> network packet raw,
>
> + # Support finer-grained ptrace checks, which were enabled in kernel 4.13
> + ptrace trace peer=/usr/sbin/libvirtd,
> + ptrace trace peer=unconfined,
> +
> # Very lenient profile for libvirtd since we want to first focus on confining
> # the guests. Guests will have a very restricted profile.
> / r,
> --
> 2.14.1
>
More information about the libvir-list
mailing list