[libvirt] [PATCH] apparmor: support finer-grained ptrace checks
Jamie Strandboge
jamie at canonical.com
Fri Sep 22 21:25:35 UTC 2017
On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote:
>
> Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles,
> simply
> starting libvirtd results in the following denial
>
> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace"
> profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace"
> denied_mask="trace" peer="unconfined"
>
> Adding 'ptrace (trace) peer=unconfined,' allows starting libvirtd with no
> denials. But this rule is not enough to start unconfined domains, where I see
> the following denial
This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
I'm curious what libvirtd is trying to trace...
> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace"
> profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace"
> denied_mask="trace" peer="/usr/sbin/libvirtd"
>
> Adding 'ptrace (trace) peer=/usr/sbin/libvirtd,' allows starting unconfined
> domains. But this is still not enough to start confined domains, where I see
> the
> following denials
This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
I suspect this is for libvirtd tracing things it launches.
> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open"
> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open"
> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace"
> profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace"
> denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
>
> Finally, adding 'ptrace (trace) peer=(label=@{profile_name}),' allows
> starting
> confined domains.
>
This rule isn't right and doesn't parse (apparmor 2.11.0):
$ apparmor_parser -QTK ./apparmor.profile
AppArmor parser error for ./apparmor.profile in ./apparmor.profile at line 6:
syntax error, unexpected TOK_CONDLISTID, expecting TOK_CONDID or TOK_END_OF_RULE
I suspect you intended:
ptrace (trace) peer=@{profile_name},
but the denial you posted is the profile for libvirtd, so @{profile_name}
expands to "/usr/sbin/libvirtd", which the rule I just gave is the same as the
second rule above.
The peer in the denial is peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff",
so the rule you want is:
ptrace (trace) peer=libvirt-*,
This should allow libvirtd to ptrace either qemu or libvirt-lxc guests.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170922/bde58f33/attachment-0001.sig>
More information about the libvir-list
mailing list