[libvirt] [PATCH] apparmor: support finer-grained ptrace checks

Jim Fehlig jfehlig at suse.com
Fri Sep 22 22:55:48 UTC 2017 

On 09/22/2017 03:25 PM, Jamie Strandboge wrote:
> On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote:
>>
>> Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles,
>> simply
>> starting libvirtd results in the following denial
>>
>> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace"
>> profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace"
>> denied_mask="trace" peer="unconfined"
>>
>> Adding 'ptrace (trace) peer=unconfined,' allows starting libvirtd with no
>> denials. But this rule is not enough to start unconfined domains, where I see
>> the following denial
> 
> This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
> I'm curious what libvirtd is trying to trace...
> 
>> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace"
>> profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace"
>> denied_mask="trace" peer="/usr/sbin/libvirtd"
>>
>> Adding 'ptrace (trace) peer=/usr/sbin/libvirtd,' allows starting unconfined
>> domains. But this is still not enough to start confined domains, where I see
>> the
>> following denials
> 
> This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
> I suspect this is for libvirtd tracing things it launches.
> 
>> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open"
>> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283
>> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open"
>> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289
>> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace"
>> profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace"
>> denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
>>
>> Finally, adding 'ptrace (trace) peer=(label=@{profile_name}),' allows
>> starting
>> confined domains.
>>
> This rule isn't right and doesn't parse (apparmor 2.11.0):
> 
> $ apparmor_parser -QTK ./apparmor.profile
> AppArmor parser error for ./apparmor.profile in ./apparmor.profile at line 6:
> syntax error, unexpected TOK_CONDLISTID, expecting TOK_CONDID or TOK_END_OF_RULE
> 
> I suspect you intended:
> 
>    ptrace (trace) peer=@{profile_name},

Yes, this is what I have on the test system, where I've been editing the 
profiles directly. I'm at a loss to explain why it works. I.e. why I can start 
confined domains with the rule, but can't without it.

> 
> but the denial you posted is the profile for libvirtd, so @{profile_name}
> expands to "/usr/sbin/libvirtd", which the rule I just gave is the same as the
> second rule above.
> 
> The peer in the denial is peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff",
> so the rule you want is:
> 
>    ptrace (trace) peer=libvirt-*,

Thanks. I'll send a V3 with this change.

Regards,
Jim

More information about the libvir-list mailing list