[PATCH 1/2] apparmor: Allow lxc processes to receive signals from libvirt

Christian Ehrhardt christian.ehrhardt at canonical.com
Thu Dec 3 09:46:15 UTC 2020


On Thu, Dec 3, 2020 at 3:58 AM Jim Fehlig <jfehlig at suse.com> wrote:
>
> LXC processes confined by apparmor are not permitted to receive signals
> from libvirtd. Attempting to destroy such a process fails
>
> virsh --connect lxc:/// destroy distro_apparmor
>  error: Failed to destroy domain distro_apparmor
>  error: Failed to kill process 29491: Permission denied
>
> And from /var/log/audit/audit.log
>
> type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
> operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
> pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
> signal=term peer="libvirtd"
>
> Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
> abstraction allowing reception of signals from libvirtd.

Agreed that it is the same rule as in libvirt-qemu and therefore
should be rather safe.

TBH I did not see the denial when testing 6.9.0 [1], but the pattern
is known and therefore I think adding the rule is fine.

Reviewed-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>

[1]: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/amd64/libv/libvirt/20201127_105058_4590a@/log.gz

> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
>  src/security/apparmor/libvirt-lxc | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc
> index e556f2a7bd..0c8b812743 100644
> --- a/src/security/apparmor/libvirt-lxc
> +++ b/src/security/apparmor/libvirt-lxc
> @@ -1,5 +1,9 @@
>    #include <abstractions/base>
>
> + # Allow receiving signals from libvirtd
> +  signal (receive) peer=libvirtd,
> +  signal (receive) peer=/usr/sbin/libvirtd,
> +
>    umount,
>
>    # ignore DENIED message on / remount
> --
> 2.29.2
>
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd




More information about the libvir-list mailing list