apparmor: allow libvirt to send term signal to unconfined

[libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Guido Günther 6 years, 3 months ago

Otherwise stopping domains with qemu://session fails like

[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
---
 examples/apparmor/usr.sbin.libvirtd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 0ddec3f6e2..be4fabf905 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -63,7 +63,7 @@
 
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,
-  signal (send) set=("kill") peer=unconfined,
+  signal (send) set=("kill", "term") peer=unconfined,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
-- 
2.15.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Jim Fehlig 6 years, 3 months ago

On 01/17/2018 08:34 AM, Guido Günther wrote:
> Otherwise stopping domains with qemu://session fails like
> 
> [164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
> ---
>   examples/apparmor/usr.sbin.libvirtd | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index 0ddec3f6e2..be4fabf905 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -63,7 +63,7 @@
>   
>     signal (send) peer=/usr/sbin/dnsmasq,
>     signal (read, send) peer=libvirt-*,
> -  signal (send) set=("kill") peer=unconfined,
> +  signal (send) set=("kill", "term") peer=unconfined,

Is "hup" needed here as well?

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Daniel P. Berrange 6 years, 3 months ago

On Mon, Jan 22, 2018 at 10:25:38AM -0700, Jim Fehlig wrote:
> On 01/17/2018 08:34 AM, Guido Günther wrote:
> > Otherwise stopping domains with qemu://session fails like
> > 
> > [164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
> > ---
> >   examples/apparmor/usr.sbin.libvirtd | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> > index 0ddec3f6e2..be4fabf905 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -63,7 +63,7 @@
> >     signal (send) peer=/usr/sbin/dnsmasq,
> >     signal (read, send) peer=libvirt-*,
> > -  signal (send) set=("kill") peer=unconfined,
> > +  signal (send) set=("kill", "term") peer=unconfined,
> 
> Is "hup" needed here as well?

Shouldn't be, libvirt starts by using 'term' to kill QEMU and if that
doesn't work, falls back to "kill". It shouldn't ever use "hup"


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by intrigeri 6 years, 3 months ago

Hi,


Guido Günther:
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -63,7 +63,7 @@

>    signal (send) peer=/usr/sbin/dnsmasq,
>    signal (read, send) peer=libvirt-*,
> -  signal (send) set=("kill") peer=unconfined,
> +  signal (send) set=("kill", "term") peer=unconfined,

+1

Reviewed-by: intrigeri@boum.org

Cheers,
-- 
intrigeri

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Jamie Strandboge 6 years, 3 months ago

On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
> Hi,
> 
> 
> Guido Günther:
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -63,7 +63,7 @@
> >    signal (send) peer=/usr/sbin/dnsmasq,
> >    signal (read, send) peer=libvirt-*,
> > -  signal (send) set=("kill") peer=unconfined,
> > +  signal (send) set=("kill", "term") peer=unconfined,
> 
LGTM too. +1 to apply.

-- 
Jamie Strandboge             | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Christian Ehrhardt 6 years, 2 months ago

On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
> On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
>> Hi,
>>
>>
>> Guido Günther:
>> > --- a/examples/apparmor/usr.sbin.libvirtd
>> > +++ b/examples/apparmor/usr.sbin.libvirtd
>> > @@ -63,7 +63,7 @@
>> >    signal (send) peer=/usr/sbin/dnsmasq,
>> >    signal (read, send) peer=libvirt-*,
>> > -  signal (send) set=("kill") peer=unconfined,
>> > +  signal (send) set=("kill", "term") peer=unconfined,
>>
> LGTM too. +1 to apply.

2 x +1
1x resolved Discussion

IMHO nothing should block this from being committed - so ping?

+1 from me as well btw

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Michal Privoznik 6 years, 2 months ago

On 02/06/2018 03:54 PM, Christian Ehrhardt wrote:
> On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
>> On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
>>> Hi,
>>>
>>>
>>> Guido Günther:
>>>> --- a/examples/apparmor/usr.sbin.libvirtd
>>>> +++ b/examples/apparmor/usr.sbin.libvirtd
>>>> @@ -63,7 +63,7 @@
>>>>    signal (send) peer=/usr/sbin/dnsmasq,
>>>>    signal (read, send) peer=libvirt-*,
>>>> -  signal (send) set=("kill") peer=unconfined,
>>>> +  signal (send) set=("kill", "term") peer=unconfined,
>>>
>> LGTM too. +1 to apply.
> 
> 2 x +1
> 1x resolved Discussion
> 
> IMHO nothing should block this from being committed - so ping?
> 
> +1 from me as well btw
> 

I've just pushed this. BTW: haven't DV granted commit access to somebody
just recently so that they can push these apparmor patches?

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Christian Ehrhardt 6 years, 2 months ago

On Tue, Feb 6, 2018 at 5:28 PM, Michal Privoznik <mprivozn@redhat.com> wrote:
> On 02/06/2018 03:54 PM, Christian Ehrhardt wrote:
>> On Thu, Jan 25, 2018 at 9:09 PM, Jamie Strandboge <jamie@canonical.com> wrote:
>>> On Wed, 2018-01-24 at 10:41 +0100, intrigeri wrote:
>>>> Hi,
>>>>
>>>>
>>>> Guido Günther:
>>>>> --- a/examples/apparmor/usr.sbin.libvirtd
>>>>> +++ b/examples/apparmor/usr.sbin.libvirtd
>>>>> @@ -63,7 +63,7 @@
>>>>>    signal (send) peer=/usr/sbin/dnsmasq,
>>>>>    signal (read, send) peer=libvirt-*,
>>>>> -  signal (send) set=("kill") peer=unconfined,
>>>>> +  signal (send) set=("kill", "term") peer=unconfined,
>>>>
>>> LGTM too. +1 to apply.
>>
>> 2 x +1
>> 1x resolved Discussion
>>
>> IMHO nothing should block this from being committed - so ping?
>>
>> +1 from me as well btw
>>
>
> I've just pushed this.

Thanks.

> BTW: haven't DV granted commit access to somebody
> just recently so that they can push these apparmor patches?

There were IRC discussions to get me commit access, but none with the
permissions was around at the time.
except for the unlikely case that all of the rest happened without me
knowing about it, it is not me :-)
If it was someone else, I'd be pleased to know who so we can CC
him/her on such changes.


-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] apparmor: allow libvirt to send term signal to unconfined

Posted by Daniel P. Berrangé 6 years, 2 months ago

On Tue, Feb 06, 2018 at 05:37:37PM +0100, Christian Ehrhardt wrote:
> On Tue, Feb 6, 2018 at 5:28 PM, Michal Privoznik <mprivozn@redhat.com> wrote:
> > BTW: haven't DV granted commit access to somebody
> > just recently so that they can push these apparmor patches?
> 
> There were IRC discussions to get me commit access, but none with the
> permissions was around at the time.
> except for the unlikely case that all of the rest happened without me
> knowing about it, it is not me :-)
> If it was someone else, I'd be pleased to know who so we can CC
> him/her on such changes.

I'm happy to give you push access, since we don't have anyone active who
represents Ubuntu right now - just Guido for Debian - and you've had a
reasonable number of patches coming up for review.

Just mail me off-list, with your SSH public key and preferred UNIX username

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list