From nobody Thu May 2 06:06:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1551479359876421.3538555584647; Fri, 1 Mar 2019 14:29:19 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B45693084298; Fri, 1 Mar 2019 22:29:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2DFD760856; Fri, 1 Mar 2019 22:29:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CCFDB41F3C; Fri, 1 Mar 2019 22:29:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x21MTBWW011551 for ; Fri, 1 Mar 2019 17:29:11 -0500 Received: by smtp.corp.redhat.com (Postfix) id C99BF1001E6D; Fri, 1 Mar 2019 22:29:11 +0000 (UTC) Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.41]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C39E61001E6C for ; Fri, 1 Mar 2019 22:29:09 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7AF92318A5F4 for ; Fri, 1 Mar 2019 22:29:08 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Fri, 01 Mar 2019 15:28:59 -0700 From: Jim Fehlig To: libvir-list@redhat.com Date: Fri, 1 Mar 2019 15:28:49 -0700 Message-Id: <20190301222850.28394-2-jfehlig@suse.com> In-Reply-To: <20190301222850.28394-1-jfehlig@suse.com> References: <20190301222850.28394-1-jfehlig@suse.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.41 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] apparmor: Check libvirtd profile status by name X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Fri, 01 Mar 2019 22:29:18 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Commit a3ab6d42 changed the libvirtd profile to a named profile, breaking the apparmor driver's ability to detect if the profile is active. When the apparmor driver loads it checks the status of the libvirtd profile using the full binary path, which fails since the profile is now referenced by name. If the apparmor driver is explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails to load too. Instead of only checking the profile status by full binary path, also check by profile name. The full path check is retained in case users have a customized libvirtd profile with full path. Signed-off-by: Jim Fehlig --- src/security/security_apparmor.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 4afdef065a..6d16b15c65 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -257,10 +257,16 @@ use_apparmor(void) if (access(APPARMOR_PROFILES_PATH, R_OK) !=3D 0) goto cleanup; =20 + /* First check profile status using full binary path. If that fails + * check using profile name. + */ rc =3D profile_status(libvirt_daemon, 1); - /* Error or unconfined should all result in -1*/ - if (rc < 0) - rc =3D -1; + if (rc < 0) { + rc =3D profile_status("libvirtd", 1); + /* Error or unconfined should all result in -1*/ + if (rc < 0) + rc =3D -1; + } =20 cleanup: VIR_FREE(libvirt_daemon); --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Thu May 2 06:06:27 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1551479376335964.19097575998; Fri, 1 Mar 2019 14:29:36 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 91E2930EBE86; Fri, 1 Mar 2019 22:29:34 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 68B981001E6D; Fri, 1 Mar 2019 22:29:34 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2A35C181A010; Fri, 1 Mar 2019 22:29:34 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x21MTBoQ011556 for ; Fri, 1 Mar 2019 17:29:11 -0500 Received: by smtp.corp.redhat.com (Postfix) id E340C60A9A; Fri, 1 Mar 2019 22:29:11 +0000 (UTC) Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DB8B8608E2 for ; Fri, 1 Mar 2019 22:29:09 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7BD4D3C2CC9 for ; Fri, 1 Mar 2019 22:29:08 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Fri, 01 Mar 2019 15:29:00 -0700 From: Jim Fehlig To: libvir-list@redhat.com Date: Fri, 1 Mar 2019 15:28:50 -0700 Message-Id: <20190301222850.28394-3-jfehlig@suse.com> In-Reply-To: <20190301222850.28394-1-jfehlig@suse.com> References: <20190301222850.28394-1-jfehlig@suse.com> MIME-Version: 1.0 X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for named profile X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Fri, 01 Mar 2019 22:29:35 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Commit a3ab6d42 changed the libvirtd profile to a named profile but neglected to accommodate the change in the qemu profile ptrace and signal rules. As a result, libvirtd is unable to signal confined qemu processes and hence unable to shutdown or destroy VMs. Add ptrace and signal rules that reference the libvirtd profile by name in addition to full binary path. Signed-off-by: Jim Fehlig --- src/security/apparmor/libvirt-qemu | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib= virt-qemu index 7d28faa163..474aaefdf8 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -16,8 +16,10 @@ network inet stream, network inet6 stream, =20 + ptrace (readby, tracedby) peer=3Dlibvirtd, ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd, =20 + signal (receive) peer=3Dlibvirtd, signal (receive) peer=3D/usr/sbin/libvirtd, =20 /dev/net/tun rw, --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list