[libvirt] [PATCH] apparmor: support finer-grained ptrace checks
Jim Fehlig
jfehlig at suse.com
Fri Sep 22 23:23:49 UTC 2017
On 09/22/2017 04:55 PM, Jim Fehlig wrote:
> On 09/22/2017 03:25 PM, Jamie Strandboge wrote:
>> On Fri, 2017-09-22 at 15:04 -0600, Jim Fehlig wrote:
>>>
>>> Using kernel 4.13, apparmor 2.11, and the current libvirt.git profiles,
>>> simply
>>> starting libvirtd results in the following denial
>>>
>>> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED" operation="ptrace"
>>> profile="/usr/sbin/libvirtd" pid=6984 comm="libvirtd" requested_mask="trace"
>>> denied_mask="trace" peer="unconfined"
>>>
>>> Adding 'ptrace (trace) peer=unconfined,' allows starting libvirtd with no
>>> denials. But this rule is not enough to start unconfined domains, where I see
>>> the following denial
>>
>> This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
>> I'm curious what libvirtd is trying to trace...
>>
>>> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED" operation="ptrace"
>>> profile="/usr/sbin/libvirtd" pid=7498 comm="libvirtd" requested_mask="trace"
>>> denied_mask="trace" peer="/usr/sbin/libvirtd"
>>>
>>> Adding 'ptrace (trace) peer=/usr/sbin/libvirtd,' allows starting unconfined
>>> domains. But this is still not enough to start confined domains, where I see
>>> the
>>> following denials
>>
>> This is fine for the libvirtd profile (not libvirt-qemu/libvirt-lxc of course).
>> I suspect this is for libvirtd tracing things it launches.
>>
>>> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED" operation="open"
>>> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8283
>>> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>>> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED" operation="open"
>>> profile="virt-aa-helper" name="/etc/libnl/classid" pid=8289
>>> comm="virt-aa-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>>> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED" operation="ptrace"
>>> profile="/usr/sbin/libvirtd" pid=8342 comm="libvirtd" requested_mask="trace"
>>> denied_mask="trace" peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
>>>
>>> Finally, adding 'ptrace (trace) peer=(label=@{profile_name}),' allows
>>> starting
>>> confined domains.
>>>
>> This rule isn't right and doesn't parse (apparmor 2.11.0):
>>
>> $ apparmor_parser -QTK ./apparmor.profile
>> AppArmor parser error for ./apparmor.profile in ./apparmor.profile at line 6:
>> syntax error, unexpected TOK_CONDLISTID, expecting TOK_CONDID or TOK_END_OF_RULE
>>
>> I suspect you intended:
>>
>> ptrace (trace) peer=@{profile_name},
>
> Yes, this is what I have on the test system, where I've been editing the
> profiles directly. I'm at a loss to explain why it works. I.e. why I can start
> confined domains with the rule, but can't without it.
Duh. With the bogus rule the profile fails to parse and thus is not loaded.
Regards,
Jim
More information about the libvir-list
mailing list