Hi Jim, On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote: > Kernel 4.13 introduced finer-grained ptrace checks > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 > > When Apparmor is enabled and libvirtd is confined, attempting to start > a domain fails > > virsh start test > error: Failed to start domain test > error: internal error: child reported: Kernel does not provide mount > namespace: Permission denied > > The audit log contains > > type=AVC msg=audit(1505466699.828:534): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="/usr/sbin/libvirtd" It seems access to /proc/<pid>/tasks already requires trace permissions. > > It was also noticed that simply connecting to libvirtd (e.g. virsh list) > resulted in the following entries in the audit log > > type=AVC msg=audit(1505755799.975:65): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="unconfined" > type=AVC msg=audit(1505755799.976:66): apparmor="DENIED" > operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418 > comm="libvirtd" requested_mask="trace" denied_mask="trace" > peer="unconfined" > > Both Apparmor denials can be fixed by adding ptrace rules to the > libvirtd profile. The new rules only grant trace permission. I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in Debian) but the proposed profile change does not fix the vm start issue for me. I can't tell why atm, will have to look into this in more detail at the WE. > > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847 > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > > Even with debug enabled in libvirtd, I've had a hard time correlating a > libvirtd action that results in the denied ptrace check seen in the audit > log. I suspect it is related to accessing files in /proc as mentioned in > the apparmor wiki > > http://wiki.apparmor.net/index.php/TechnicalDo_Proc_and_ptrace > > cc'ing some of the usual apparmor suspects for any words of wisdom. > > examples/apparmor/usr.sbin.libvirtd | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd > index acb59e071..ff84aa149 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -37,6 +37,10 @@ > network packet dgram, > network packet raw, > > + # Support finer-grained ptrace checks, which were enabled in kernel 4.13 > + ptrace trace peer=/usr/sbin/libvirtd, > + ptrace trace peer=unconfined, > + > # Very lenient profile for libvirtd since we want to first focus on confining > # the guests. Guests will have a very restricted profile. > / r, > -- > 2.14.1 > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
