[libvirt] [PATCH V3] apparmor: support ptrace checks

Jim Fehlig posted 1 patch 63 weeks ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20170922230242.21336-1-jfehlig@suse.com
examples/apparmor/usr.sbin.libvirtd | 4 ++++
1 file changed, 4 insertions(+)

[libvirt] [PATCH V3] apparmor: support ptrace checks

Posted by Jim Fehlig 63 weeks ago
Kernel 4.13 introduced finer-grained ptrace checks

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07

With kernel 4.13 and apparmor 2.11, simply starting libvirtd
results in the following apparmor denial

type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"

Attempting to start an unconfined domain results in

type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"

And attempting to start a confined domain results in

type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"

Add ptrace rules to allow the trace operations.

Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---

V3:
 fix ptrace rule for per-domain profiles

V2:
 restrict ptrace permissions
 drop support for dbus, signal, and unix
 
 examples/apparmor/usr.sbin.libvirtd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index acb59e071..fa4ebb355 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -37,6 +37,10 @@
   network packet dgram,
   network packet raw,
 
+  ptrace (trace) peer=unconfined,
+  ptrace (trace) peer=/usr/sbin/libvirtd,
+  ptrace (trace) peer=libvirt-*,
+
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
   / r,
-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

Posted by Guido Günther 63 weeks ago
Hi Jim,
On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote:
> Kernel 4.13 introduced finer-grained ptrace checks
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
> 
> With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> results in the following apparmor denial
> 
> type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="unconfined"
> 
> Attempting to start an unconfined domain results in
> 
> type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="/usr/sbin/libvirtd"
> 
> And attempting to start a confined domain results in
> 
> type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> fsuid=0 ouid=0
> type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
> comm="libvirtd" requested_mask="trace" denied_mask="trace"
> peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> 
> Add ptrace rules to allow the trace operations.
> 
> Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
> 
> V3:
>  fix ptrace rule for per-domain profiles
> 
> V2:
>  restrict ptrace permissions
>  drop support for dbus, signal, and unix
>  
>  examples/apparmor/usr.sbin.libvirtd | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index acb59e071..fa4ebb355 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -37,6 +37,10 @@
>    network packet dgram,
>    network packet raw,
>  
> +  ptrace (trace) peer=unconfined,
> +  ptrace (trace) peer=/usr/sbin/libvirtd,
> +  ptrace (trace) peer=libvirt-*,
> +

This works here too! And I can even drop the first rule (ptrace (trace)
peer=unconfined) and things still work (and from reading the profile and
Jamies explanations it should work without it). Can you check if that
works for you too?  Otherwise:

Reviewed-By: Guido Günther <agx@sigxcpu.org>


>    # Very lenient profile for libvirtd since we want to first focus on confining
>    # the guests. Guests will have a very restricted profile.
>    / r,
> -- 
> 2.14.1
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

Posted by Guido Günther 63 weeks ago
Hi,
On Sun, Sep 24, 2017 at 02:26:01PM +0200, Guido Günther wrote:
> Hi Jim,
> On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote:
> > Kernel 4.13 introduced finer-grained ptrace checks
> > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
> > 
> > With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> > results in the following apparmor denial
> > 
> > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> > operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="unconfined"
> > 
> > Attempting to start an unconfined domain results in
> > 
> > type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> > operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="/usr/sbin/libvirtd"
> > 
> > And attempting to start a confined domain results in
> > 
> > type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> > pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> > pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> > operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> > 
> > Add ptrace rules to allow the trace operations.
> > 
> > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> > Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> > ---
> > 
> > V3:
> >  fix ptrace rule for per-domain profiles
> > 
> > V2:
> >  restrict ptrace permissions
> >  drop support for dbus, signal, and unix
> >  
> >  examples/apparmor/usr.sbin.libvirtd | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> > index acb59e071..fa4ebb355 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -37,6 +37,10 @@
> >    network packet dgram,
> >    network packet raw,
> >  
> > +  ptrace (trace) peer=unconfined,
> > +  ptrace (trace) peer=/usr/sbin/libvirtd,
> > +  ptrace (trace) peer=libvirt-*,
> > +
> 
> This works here too! And I can even drop the first rule (ptrace (trace)
> peer=unconfined) and things still work (and from reading the profile and
> Jamies explanations it should work without it). Can you check if that
> works for you too?  Otherwise:
> 
> Reviewed-By: Guido Günther <agx@sigxcpu.org>

I've pushed that patch as is since without the unconfined ptrace we're
seeing denials with gnome-boxes and virsh.
Cheers,
 -- Guido

> 
> 
> >    # Very lenient profile for libvirtd since we want to first focus on confining
> >    # the guests. Guests will have a very restricted profile.
> >    / r,
> > -- 
> > 2.14.1
> > 
> 
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH V3] apparmor: support ptrace checks

Posted by Christian Ehrhardt 63 weeks ago
Hi Guido and everybody else,
Ubuntu had the feature that went into 4.13 for quite a while so I looked
into dropping our rules in favor of the upstream ones.
While doing so I found something yet unclear and filed [1] about it.

TL;DR: The rules "should" not work because they should also have a tracedby
rule, but they work.

Jjohansen will let us know when he has looked at it in detail.
The bug I mention here is to track that effort.

P.S. FYI There is something similar ahead for kernel 4.14 which will need a
similar rule for signals.

[1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1719471

On Mon, Sep 25, 2017 at 12:05 PM, Guido Günther <agx@sigxcpu.org> wrote:

> Hi,
> On Sun, Sep 24, 2017 at 02:26:01PM +0200, Guido Günther wrote:
> > Hi Jim,
> > On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote:
> > > Kernel 4.13 introduced finer-grained ptrace checks
> > >
> > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/
> linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69
> fe1c3c3a07
> > >
> > > With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> > > results in the following apparmor denial
> > >
> > > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> > > operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
> > > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > > peer="unconfined"
> > >
> > > Attempting to start an unconfined domain results in
> > >
> > > type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> > > operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
> > > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > > peer="/usr/sbin/libvirtd"
> > >
> > > And attempting to start a confined domain results in
> > >
> > > type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> > > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> > > pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > > fsuid=0 ouid=0
> > > type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> > > operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
> > > pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > > fsuid=0 ouid=0
> > > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> > > operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
> > > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> > >
> > > Add ptrace rules to allow the trace operations.
> > >
> > > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> > > Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> > > ---
> > >
> > > V3:
> > >  fix ptrace rule for per-domain profiles
> > >
> > > V2:
> > >  restrict ptrace permissions
> > >  drop support for dbus, signal, and unix
> > >
> > >  examples/apparmor/usr.sbin.libvirtd | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > >
> > > diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> > > index acb59e071..fa4ebb355 100644
> > > --- a/examples/apparmor/usr.sbin.libvirtd
> > > +++ b/examples/apparmor/usr.sbin.libvirtd
> > > @@ -37,6 +37,10 @@
> > >    network packet dgram,
> > >    network packet raw,
> > >
> > > +  ptrace (trace) peer=unconfined,
> > > +  ptrace (trace) peer=/usr/sbin/libvirtd,
> > > +  ptrace (trace) peer=libvirt-*,
> > > +
> >
> > This works here too! And I can even drop the first rule (ptrace (trace)
> > peer=unconfined) and things still work (and from reading the profile and
> > Jamies explanations it should work without it). Can you check if that
> > works for you too?  Otherwise:
> >
> > Reviewed-By: Guido Günther <agx@sigxcpu.org>
>
> I've pushed that patch as is since without the unconfined ptrace we're
> seeing denials with gnome-boxes and virsh.
> Cheers,
>  -- Guido
>
> >
> >
> > >    # Very lenient profile for libvirtd since we want to first focus on
> confining
> > >    # the guests. Guests will have a very restricted profile.
> > >    / r,
> > > --
> > > 2.14.1
> > >
> >
> > --
> > libvir-list mailing list
> > libvir-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/libvir-list
> >
>
> --
> libvir-list mailing list
> libvir-list@redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>



-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list