1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile

Jim Fehlig posted 1 patch 6 years, 6 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20171006205810.8419-1-jfehlig@suse.com
examples/apparmor/usr.sbin.libvirtd | 1 +
1 file changed, 1 insertion(+)
[libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile
Posted by Jim Fehlig 6 years, 6 months ago 
Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd

type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
peer="/usr/sbin/dnsmasq"

With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts

dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper

A simple fix is to add a ptrace rule for dnsmasq.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 examples/apparmor/usr.sbin.libvirtd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fa4ebb355..819068ffc 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -39,6 +39,7 @@
 
   ptrace (trace) peer=unconfined,
   ptrace (trace) peer=/usr/sbin/libvirtd,
+  ptrace (trace) peer=/usr/sbin/dnsmasq,
   ptrace (trace) peer=libvirt-*,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
-- 
2.14.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile
Posted by Guido Günther 6 years, 6 months ago 
Hi,
On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
> Commit b482925c added ptrace rule for the apparmor profiles,
> but one was missed in the libvirtd profile for dnsmasq. It was
> overlooked since the test machine did not have an active libvirt
> network requiring dnsmasq that was also set to autostart. With
> one active and set to autostart, the following denial is observed
> in audit.log when restarting libvirtd
> 
> type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
> operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
> comm="libvirtd" requested_mask="trace" denied_mask="trace" \
> peer="/usr/sbin/dnsmasq"
> 
> With an active network, I suspect a libvirtd restart causes access
> to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
> side affect of the denial, libvirtd thinks it needs to spawn a
> dnsmasq process even though one is already running for the network.
> E.g. after two libvirtd restarts
> 
> dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
>  /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>  --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
> 
> A simple fix is to add a ptrace rule for dnsmasq.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>  examples/apparmor/usr.sbin.libvirtd | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index fa4ebb355..819068ffc 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -39,6 +39,7 @@
>  
>    ptrace (trace) peer=unconfined,
>    ptrace (trace) peer=/usr/sbin/libvirtd,
> +  ptrace (trace) peer=/usr/sbin/dnsmasq,
>    ptrace (trace) peer=libvirt-*,
>  
>    # Very lenient profile for libvirtd since we want to first focus on
>    confining

Reviewed-By: Guido Günther <agx@sigxcpu.org>


> -- 
> 2.14.1
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile
Posted by Jim Fehlig 6 years, 6 months ago 
On 10/06/2017 04:04 PM, Guido Günther wrote:
> Hi,
> On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
>> Commit b482925c added ptrace rule for the apparmor profiles,
>> but one was missed in the libvirtd profile for dnsmasq. It was
>> overlooked since the test machine did not have an active libvirt
>> network requiring dnsmasq that was also set to autostart. With
>> one active and set to autostart, the following denial is observed
>> in audit.log when restarting libvirtd
>>
>> type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
>> comm="libvirtd" requested_mask="trace" denied_mask="trace" \
>> peer="/usr/sbin/dnsmasq"
>>
>> With an active network, I suspect a libvirtd restart causes access
>> to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
>> side affect of the denial, libvirtd thinks it needs to spawn a
>> dnsmasq process even though one is already running for the network.
>> E.g. after two libvirtd restarts
>>
>> dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>>
>> A simple fix is to add a ptrace rule for dnsmasq.
>>
>> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
>> ---
>>   examples/apparmor/usr.sbin.libvirtd | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
>> index fa4ebb355..819068ffc 100644
>> --- a/examples/apparmor/usr.sbin.libvirtd
>> +++ b/examples/apparmor/usr.sbin.libvirtd
>> @@ -39,6 +39,7 @@
>>   
>>     ptrace (trace) peer=unconfined,
>>     ptrace (trace) peer=/usr/sbin/libvirtd,
>> +  ptrace (trace) peer=/usr/sbin/dnsmasq,
>>     ptrace (trace) peer=libvirt-*,
>>   
>>     # Very lenient profile for libvirtd since we want to first focus on
>>     confining
> 
> Reviewed-By: Guido Günther <agx@sigxcpu.org>

Thanks, pushed.

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.