1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH 0/2] Small apparmor fixes
  4. View patch

[libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile

Jim Fehlig posted 2 patches 6 years, 11 months ago
[libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Posted by Jim Fehlig 6 years, 11 months ago 
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.

Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 7d28faa163..474aaefdf8 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
   network inet stream,
   network inet6 stream,
 
+  ptrace (readby, tracedby) peer=libvirtd,
   ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
 
+  signal (receive) peer=libvirtd,
   signal (receive) peer=/usr/sbin/libvirtd,
 
   /dev/net/tun rw,
-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Posted by Jamie Strandboge 6 years, 11 months ago 
On Fri, 01 Mar 2019, Jim Fehlig wrote:

> Commit a3ab6d42 changed the libvirtd profile to a named profile
> but neglected to accommodate the change in the qemu profile
> ptrace and signal rules. As a result, libvirtd is unable to
> signal confined qemu processes and hence unable to shutdown
> or destroy VMs.
> 
> Add ptrace and signal rules that reference the libvirtd profile
> by name in addition to full binary path.
> 
> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
> ---
>  src/security/apparmor/libvirt-qemu | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 7d28faa163..474aaefdf8 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -16,8 +16,10 @@
>    network inet stream,
>    network inet6 stream,
>  
> +  ptrace (readby, tracedby) peer=libvirtd,
>    ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>  
> +  signal (receive) peer=libvirtd,
>    signal (receive) peer=/usr/sbin/libvirtd,
>  
>    /dev/net/tun rw,

+1 to commit

-- 
Jamie Strandboge             | http://www.canonical.com
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile
Posted by Jim Fehlig 6 years, 11 months ago 
On 3/2/19 7:20 AM, Jamie Strandboge wrote:
> On Fri, 01 Mar 2019, Jim Fehlig wrote:
> 
>> Commit a3ab6d42 changed the libvirtd profile to a named profile
>> but neglected to accommodate the change in the qemu profile
>> ptrace and signal rules. As a result, libvirtd is unable to
>> signal confined qemu processes and hence unable to shutdown
>> or destroy VMs.
>>
>> Add ptrace and signal rules that reference the libvirtd profile
>> by name in addition to full binary path.
>>
>> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
>> ---
>>   src/security/apparmor/libvirt-qemu | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
>> index 7d28faa163..474aaefdf8 100644
>> --- a/src/security/apparmor/libvirt-qemu
>> +++ b/src/security/apparmor/libvirt-qemu
>> @@ -16,8 +16,10 @@
>>     network inet stream,
>>     network inet6 stream,
>>   
>> +  ptrace (readby, tracedby) peer=libvirtd,
>>     ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
>>   
>> +  signal (receive) peer=libvirtd,
>>     signal (receive) peer=/usr/sbin/libvirtd,
>>   
>>     /dev/net/tun rw,
> 
> +1 to commit

Thanks! Any comment on 1/2? It fixes the rather nasty bug of libvirtd not 
starting when apparmor driver is explicitly enabled in qemu.conf.

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.