[PATCH 1/2] apparmor: Allow lxc processes to receive signals from libvirt

Jim Fehlig jfehlig at suse.com
Thu Dec 3 02:57:14 UTC 2020


LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails

virsh --connect lxc:/// destroy distro_apparmor
 error: Failed to destroy domain distro_apparmor
 error: Failed to kill process 29491: Permission denied

And from /var/log/audit/audit.log

type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"

Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.

Signed-off-by: Jim Fehlig <jfehlig at suse.com>
---
 src/security/apparmor/libvirt-lxc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc
index e556f2a7bd..0c8b812743 100644
--- a/src/security/apparmor/libvirt-lxc
+++ b/src/security/apparmor/libvirt-lxc
@@ -1,5 +1,9 @@
   #include <abstractions/base>
 
+ # Allow receiving signals from libvirtd
+  signal (receive) peer=libvirtd,
+  signal (receive) peer=/usr/sbin/libvirtd,
+
   umount,
 
   # ignore DENIED message on / remount
-- 
2.29.2





More information about the libvir-list mailing list