From nobody Sun May  5 17:36:08 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 15073258676511015.131842166404;
 Fri, 6 Oct 2017 14:37:47 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 206C5820E5;
	Fri,  6 Oct 2017 21:37:46 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 470C55D753;
	Fri,  6 Oct 2017 21:37:45 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6F8D5410B3;
	Fri,  6 Oct 2017 21:37:43 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v96KwcPA021917 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 6 Oct 2017 16:58:38 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id ABB596047C; Fri,  6 Oct 2017 20:58:38 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id A65F760184
	for <libvir-list@redhat.com>; Fri,  6 Oct 2017 20:58:36 +0000 (UTC)
Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A3DA85D698
	for <libvir-list@redhat.com>; Fri,  6 Oct 2017 20:58:34 +0000 (UTC)
Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by smtp2.provo.novell.com with ESMTP (NOT encrypted);
	Fri, 06 Oct 2017 14:58:32 -0600
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 206C5820E5
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=suse.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 206C5820E5
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A3DA85D698
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=suse.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	spf=pass smtp.mailfrom=jfehlig@suse.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com A3DA85D698
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Date: Fri,  6 Oct 2017 14:58:10 -0600
Message-Id: <20171006205810.8419-1-jfehlig@suse.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 205
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.39]); Fri, 06 Oct 2017 20:58:35 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.39]);
	Fri, 06 Oct 2017 20:58:35 +0000 (UTC) for IP:'137.65.250.81'
	DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com'
	FROM:'jfehlig@suse.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	SPF_PASS) 137.65.250.81 smtp2.provo.novell.com
	137.65.250.81 smtp2.provo.novell.com <jfehlig@suse.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Cc: agx@sigxcpu.org
Subject: [libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd
	profile
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Fri, 06 Oct 2017 21:37:46 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd

type=3DAVC msg=3Daudit(1507320136.306:298): apparmor=3D"DENIED" \
operation=3D"ptrace" profile=3D"/usr/sbin/libvirtd" pid=3D5472 \
comm=3D"libvirtd" requested_mask=3D"trace" denied_mask=3D"trace" \
peer=3D"/usr/sbin/dnsmasq"

With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts

dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper
root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper
root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper
root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=3D/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=3D/usr/lib64/libvirt/libvirt_leaseshelper

A simple fix is to add a ptrace rule for dnsmasq.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-By: Guido G=C3=BCnther <agx@sigxcpu.org>
---
 examples/apparmor/usr.sbin.libvirtd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sb=
in.libvirtd
index fa4ebb355..819068ffc 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -39,6 +39,7 @@
=20
   ptrace (trace) peer=3Dunconfined,
   ptrace (trace) peer=3D/usr/sbin/libvirtd,
+  ptrace (trace) peer=3D/usr/sbin/dnsmasq,
   ptrace (trace) peer=3Dlibvirt-*,
=20
   # Very lenient profile for libvirtd since we want to first focus on conf=
ining
--=20
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list