[libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Jamie Strandboge
jamie at canonical.com
Sat Mar 2 14:20:08 UTC 2019
On Fri, 01 Mar 2019, Jim Fehlig wrote:
> Commit a3ab6d42 changed the libvirtd profile to a named profile
> but neglected to accommodate the change in the qemu profile
> ptrace and signal rules. As a result, libvirtd is unable to
> signal confined qemu processes and hence unable to shutdown
> or destroy VMs.
>
> Add ptrace and signal rules that reference the libvirtd profile
> by name in addition to full binary path.
>
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
> src/security/apparmor/libvirt-qemu | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 7d28faa163..474aaefdf8 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -16,8 +16,10 @@
> network inet stream,
> network inet6 stream,
>
> + ptrace (readby, tracedby) peer=libvirtd,
> ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>
> + signal (receive) peer=libvirtd,
> signal (receive) peer=/usr/sbin/libvirtd,
>
> /dev/net/tun rw,
+1 to commit
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190302/a176fecd/attachment-0001.sig>
More information about the libvir-list
mailing list