[libvirt] [PATCH] apparmor: support finer-grained ptrace checks
Jim Fehlig
jfehlig at suse.com
Wed Sep 20 17:17:06 UTC 2017
On 09/20/2017 08:57 AM, Jim Fehlig wrote:
> On 09/20/2017 12:51 AM, Guido Günther wrote:
>> Hi Jim,
>> On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
>>> Kernel 4.13 introduced finer-grained ptrace checks
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
>>>
>>>
>>> When Apparmor is enabled and libvirtd is confined, attempting to start
>>> a domain fails
>>>
>>> virsh start test
>>> error: Failed to start domain test
>>> error: internal error: child reported: Kernel does not provide mount
>>> namespace: Permission denied
>>>
>>> The audit log contains
>>>
>>> type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
>>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
>>> comm="libvirtd" requested_mask="trace" denied_mask="trace"
>>> peer="/usr/sbin/libvirtd"
>>
>> It seems access to /proc/<pid>/tasks already requires trace permissions.
>>
>>>
>>> It was also noticed that simply connecting to libvirtd (e.g. virsh list)
>>> resulted in the following entries in the audit log
>>>
>>> type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
>>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
>>> comm="libvirtd" requested_mask="trace" denied_mask="trace"
>>> peer="unconfined"
>>> type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
>>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
>>> comm="libvirtd" requested_mask="trace" denied_mask="trace"
>>> peer="unconfined"
>>>
>>> Both Apparmor denials can be fixed by adding ptrace rules to the
>>> libvirtd profile. The new rules only grant trace permission.
>>
>> I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in
>> Debian) but the proposed profile change does not fix the vm start issue
>> for me. I can't tell why atm, will have to look into this in more detail
>> at the WE.
>
> I have other problems when running with 'security_default_confined = 1' in
> qemu.conf, but the changes allow starting unconfined domains.
>
> Cedric remembered this old thread
>
> https://www.redhat.com/archives/libvir-list/2014-October/msg00011.html
>
> Some of those changes have been merged, but the ptrace, dbus, signal, etc. have
> not. I used Stefan's changes to the libvirtd profile but still see the same
> issue with confined domains
I dug a bit further in that thread to find Stefan's most recent version of the
patches
https://www.redhat.com/archives/libvir-list/2014-October/msg00556.html
I took the ptrace, dbus, signal, etc. changes out of patch 2 and used the
attached patch to successfully start confined domains.
Since a few years have passed, I'm not sure if patch 1 is still relevant. IIUC,
it allows to conditionalize profile content based on apparmor version, which
patch 2 uses to add some stuff if version >= 2.9. 2.9 has been out for a while...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-support-ptrace-checks.patch
Type: text/x-patch
Size: 3170 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170920/0ed31e7a/attachment-0001.bin>
More information about the libvir-list
mailing list