From nobody Fri May 3 05:43:12 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1513689204764994.450576549788; Tue, 19 Dec 2017 05:13:24 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B980A61475; Tue, 19 Dec 2017 13:13:22 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8D4C45D6A2; Tue, 19 Dec 2017 13:13:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6B38B180474A; Tue, 19 Dec 2017 13:13:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id vBJDDJ2M002075 for ; Tue, 19 Dec 2017 08:13:19 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3C561176D8; Tue, 19 Dec 2017 13:13:19 +0000 (UTC) Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 36EA062660 for ; Tue, 19 Dec 2017 13:13:17 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E1DE580460 for ; Tue, 19 Dec 2017 13:13:09 +0000 (UTC) Received: from 1.general.paelzer.uk.vpn ([10.172.196.172] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eRHhk-0005Tf-F3; Tue, 19 Dec 2017 13:13:08 +0000 From: Christian Ehrhardt To: Libvirt Devel Date: Tue, 19 Dec 2017 14:13:06 +0100 Message-Id: <1513689186-14086-1-git-send-email-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 19 Dec 2017 13:13:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 19 Dec 2017 13:13:10 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5.01 (RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.28 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Cc: Jamie Strandboge , Guido Guenther , Christian Ehrhardt Subject: [libvirt] [PATCH] apparmor: allow unix stream for p2p migrations X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 19 Dec 2017 13:13:23 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" On live migration with --p2p like: $ virsh migrate --live --p2p kvmguest-bionic-normal \ qemu+ssh://10.6.221.80/system We hit an apparmor deny like: apparmor=3D"DENIED" operation=3D"file_inherit" profile=3D"/usr/sbin/libvirtd" pid=3D23477 comm=3D"ssh" family=3D"unix" sock_type=3D"stream" protocol=3D0 requested_mask=3D"send receive" denied_mask=3D"send" addr=3Dnone peer_addr=3Dnone peer=3D"unconfined" The rule is not perfect, but can't be restricted further at the moment (new upstream kernel features needed). For now the lack of a profile on the peer as well as comm not being a conditional on rules do not allow to filter further. Signed-off-by: Christian Ehrhardt --- examples/apparmor/usr.sbin.libvirtd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb= in.libvirtd index 8d61d15..febe8a4 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -53,6 +53,9 @@ network packet dgram, network packet raw, =20 + # for --p2p migrations + unix (send, receive) type=3Dstream addr=3Dnone peer=3D(label=3Dunconfine= d addr=3Dnone), + ptrace (trace) peer=3Dunconfined, ptrace (trace) peer=3D/usr/sbin/libvirtd, ptrace (trace) peer=3D/usr/sbin/dnsmasq, --=20 2.7.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list