[libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Jim Fehlig
jfehlig at suse.com
Wed Mar 6 03:53:24 UTC 2019
On 3/2/19 7:20 AM, Jamie Strandboge wrote:
> On Fri, 01 Mar 2019, Jim Fehlig wrote:
>
>> Commit a3ab6d42 changed the libvirtd profile to a named profile
>> but neglected to accommodate the change in the qemu profile
>> ptrace and signal rules. As a result, libvirtd is unable to
>> signal confined qemu processes and hence unable to shutdown
>> or destroy VMs.
>>
>> Add ptrace and signal rules that reference the libvirtd profile
>> by name in addition to full binary path.
>>
>> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
>> ---
>> src/security/apparmor/libvirt-qemu | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
>> index 7d28faa163..474aaefdf8 100644
>> --- a/src/security/apparmor/libvirt-qemu
>> +++ b/src/security/apparmor/libvirt-qemu
>> @@ -16,8 +16,10 @@
>> network inet stream,
>> network inet6 stream,
>>
>> + ptrace (readby, tracedby) peer=libvirtd,
>> ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>>
>> + signal (receive) peer=libvirtd,
>> signal (receive) peer=/usr/sbin/libvirtd,
>>
>> /dev/net/tun rw,
>
> +1 to commit
Thanks! Any comment on 1/2? It fixes the rather nasty bug of libvirtd not
starting when apparmor driver is explicitly enabled in qemu.conf.
Regards,
Jim
More information about the libvir-list
mailing list