[libvirt] [PATCH V2] apparmor: support ptrace checks

Jim Fehlig posted 1 patch 56 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20170922211530.10413-1-jfehlig@suse.com
examples/apparmor/usr.sbin.libvirtd | 4 ++++
1 file changed, 4 insertions(+)

[libvirt] [PATCH V2] apparmor: support ptrace checks

Posted by Jim Fehlig 56 weeks ago
Kernel 4.13 introduced finer-grained ptrace checks

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07

With kernel 4.13 and apparmor 2.11, simply starting libvirtd
results in the following apparmor denial

type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"

Attempting to start an unconfined domain results in

type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"

And attempting to start a confined domain results in

type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"

Add ptrace rules to allow the trace operations.

Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 examples/apparmor/usr.sbin.libvirtd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index acb59e071..6088db294 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
   network packet dgram,
   network packet raw,
 
+  ptrace (trace) peer=unconfined,
+  ptrace (trace) peer=/usr/sbin/libvirtd,
+  ptrace (tace) peer=(label=@{profile_name}),
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH V2] apparmor: support ptrace checks

Posted by Jim Fehlig 56 weeks ago
On 09/22/2017 03:15 PM, Jim Fehlig wrote:
> Kernel 4.13 introduced finer-grained ptrace checks
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
> 
> With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> results in the following apparmor denial
> 
> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
> 
> Attempting to start an unconfined domain results in
> 
> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="/usr/sbin/libvirtd"
> 
> And attempting to start a confined domain results in
> 
> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> 
> Add ptrace rules to allow the trace operations.
> 
> Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>   examples/apparmor/usr.sbin.libvirtd | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index acb59e071..6088db294 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -37,6 +37,10 @@
>     network packet dgram,
>     network packet raw,
>   
> +  ptrace (trace) peer=unconfined,
> +  ptrace (trace) peer=/usr/sbin/libvirtd,
> +  ptrace (tace) peer=(label=@{profile_name}),
> +

Opps, typo here. I've squashed to below diff to my local branch.

diff --git a/examples/apparmor/usr.sbin.libvirtd 
b/examples/apparmor/usr.sbin.libvirtd
index 6088db294..defcd1567 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -39,7 +39,7 @@

    ptrace (trace) peer=unconfined,
    ptrace (trace) peer=/usr/sbin/libvirtd,
-  ptrace (tace) peer=(label=@{profile_name}),
+  ptrace (trace) peer=(label=@{profile_name}),

    # Very lenient profile for libvirtd since we want to first focus on confining
    # the guests. Guests will have a very restricted profile.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list