[libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Jim Fehlig
jfehlig at suse.com
Fri Mar 1 22:28:50 UTC 2019
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.
Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.
Signed-off-by: Jim Fehlig <jfehlig at suse.com>
---
src/security/apparmor/libvirt-qemu | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 7d28faa163..474aaefdf8 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
network inet stream,
network inet6 stream,
+ ptrace (readby, tracedby) peer=libvirtd,
ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
/dev/net/tun rw,
--
2.20.1
More information about the libvir-list
mailing list