From nobody Mon Feb  9 10:28:47 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1551479376335964.19097575998;
 Fri, 1 Mar 2019 14:29:36 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 91E2930EBE86;
	Fri,  1 Mar 2019 22:29:34 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 68B981001E6D;
	Fri,  1 Mar 2019 22:29:34 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2A35C181A010;
	Fri,  1 Mar 2019 22:29:34 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x21MTBoQ011556 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 1 Mar 2019 17:29:11 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id E340C60A9A; Fri,  1 Mar 2019 22:29:11 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.29])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id DB8B8608E2
	for <libvir-list@redhat.com>; Fri,  1 Mar 2019 22:29:09 +0000 (UTC)
Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 7BD4D3C2CC9
	for <libvir-list@redhat.com>; Fri,  1 Mar 2019 22:29:08 +0000 (UTC)
Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by smtp2.provo.novell.com with ESMTP (NOT encrypted);
	Fri, 01 Mar 2019 15:29:00 -0700
From: Jim Fehlig <jfehlig@suse.com>
To: libvir-list@redhat.com
Date: Fri,  1 Mar 2019 15:28:50 -0700
Message-Id: <20190301222850.28394-3-jfehlig@suse.com>
In-Reply-To: <20190301222850.28394-1-jfehlig@suse.com>
References: <20190301222850.28394-1-jfehlig@suse.com>
MIME-Version: 1.0
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.29]); Fri, 01 Mar 2019 22:29:08 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.29]);
	Fri, 01 Mar 2019 22:29:08 +0000 (UTC) for IP:'137.65.250.81'
	DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com'
	FROM:'jfehlig@suse.com' RCPT:''
X-RedHat-Spam-Score: -2.301  (RCVD_IN_DNSWL_MED,
	SPF_PASS) 137.65.250.81 smtp2.provo.novell.com
	137.65.250.81 smtp2.provo.novell.com <jfehlig@suse.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 2/2] apparmor: Add ptrace and signal rules for
	named profile
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]);
 Fri, 01 Mar 2019 22:29:35 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.

Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
---
 src/security/apparmor/libvirt-qemu | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/lib=
virt-qemu
index 7d28faa163..474aaefdf8 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -16,8 +16,10 @@
   network inet stream,
   network inet6 stream,
=20
+  ptrace (readby, tracedby) peer=3Dlibvirtd,
   ptrace (readby, tracedby) peer=3D/usr/sbin/libvirtd,
=20
+  signal (receive) peer=3Dlibvirtd,
   signal (receive) peer=3D/usr/sbin/libvirtd,
=20
   /dev/net/tun rw,
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list