[libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Wed Sep 20 06:51:08 UTC 2017

Hi Jim,
On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
> Kernel 4.13 introduced finer-grained ptrace checks
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
> 
> When Apparmor is enabled and libvirtd is confined, attempting to start
> a domain fails
> 
> virsh start test
> error: Failed to start domain test
> error: internal error: child reported: Kernel does not provide mount
>        namespace: Permission denied
> 
> The audit log contains
> 
> type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="/usr/sbin/libvirtd"

It seems access to /proc/<pid>/tasks already requires trace permissions.

> 
> It was also noticed that simply connecting to libvirtd (e.g. virsh list)
> resulted in the following entries in the audit log
> 
> type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
> type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
> 
> Both Apparmor denials can be fixed by adding ptrace rules to the
> libvirtd profile. The new rules only grant trace permission.

I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in
Debian) but the proposed profile change does not fix the vm start issue
for me. I can't tell why atm, will have to look into this in more detail
at the WE.

> 
> Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
> 
> Even with debug enabled in libvirtd, I've had a hard time correlating a
> libvirtd action that results in the denied ptrace check seen in the audit
> log. I suspect it is related to accessing files in /proc as mentioned in
> the apparmor wiki
> 
> http://wiki.apparmor.net/index.php/TechnicalDo_Proc_and_ptrace
> 
> cc'ing some of the usual apparmor suspects for any words of wisdom.
> 
>  examples/apparmor/usr.sbin.libvirtd | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index acb59e071..ff84aa149 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -37,6 +37,10 @@
>    network packet dgram,
>    network packet raw,
>  
> +  # Support finer-grained ptrace checks, which were enabled in kernel 4.13
> +  ptrace trace peer=/usr/sbin/libvirtd,
> +  ptrace trace peer=unconfined,
> +
>    # Very lenient profile for libvirtd since we want to first focus on confining
>    # the guests. Guests will have a very restricted profile.
>    / r,
> -- 
> 2.14.1
> 