[libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Jamie Strandboge jamie at canonical.com
Fri Sep 22 21:25:35 UTC 2017 

On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote:
> 
> Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles,
> simply 
> starting libvirtd results in the following denial
> 
> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace" 
> profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace" 
> denied_mask="trace" peer="unconfined"
> 
> Adding 'ptrace (trace) peer=unconfined,' allows starting libvirtd with no 
> denials. But this rule is not enough to start unconfined domains, where I see 
> the following denial

This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
I'm curious what libvirtd is trying to trace...

> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace" 
> profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace" 
> denied_mask="trace" peer="/usr/sbin/libvirtd"
> 
> Adding 'ptrace (trace) peer=/usr/sbin/libvirtd,' allows starting unconfined 
> domains. But this is still not enough to start confined domains, where I see
> the 
> following denials

This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
I suspect this is for libvirtd tracing things it launches.

> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open" 
> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283 
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open" 
> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289 
> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace" 
> profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace" 
> denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> 
> Finally, adding 'ptrace (trace) peer=(label=@{profile_name}),' allows
> starting 
> confined domains.
> 
This rule isn't right and doesn't parse (apparmor 2.11.0):

$ apparmor_parser -QTK ./apparmor.profile 
AppArmor parser error for ./apparmor.profile in ./apparmor.profile at line 6:
syntax error, unexpected TOK_CONDLISTID, expecting TOK_CONDID or TOK_END_OF_RULE

I suspect you intended:

  ptrace (trace) peer=@{profile_name},

but the denial you posted is the profile for libvirtd, so @{profile_name}
expands to "/usr/sbin/libvirtd", which the rule I just gave is the same as the
second rule above.

The peer in the denial is peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff",
so the rule you want is:

  ptrace (trace) peer=libvirt-*,

This should allow libvirtd to ptrace either qemu or libvirt-lxc guests.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170922/bde58f33/attachment-0001.sig>

More information about the libvir-list mailing list