On 09/20/2017 08:57 AM, Jim Fehlig wrote:
On 09/20/2017 12:51 AM, Guido Günther wrote:
Hi Jim,
On Mon, Sep 18, 2017 at 02:06:13PM -0600, Jim Fehlig wrote:
Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
When Apparmor is enabled and libvirtd is confined, attempting to start
a domain fails
virsh start test
error: Failed to start domain test
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
The audit log contains
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
It seems access to /proc/<pid>/tasks already requires trace permissions.
It was also noticed that simply connecting to libvirtd (e.g. virsh list)
resulted in the following entries in the audit log
type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Both Apparmor denials can be fixed by adding ptrace rules to the
libvirtd profile. The new rules only grant trace permission.
I'm seeing the same denials with 4.13 (4.13.1-1~exp1 (2017-09-11) in
Debian) but the proposed profile change does not fix the vm start issue
for me. I can't tell why atm, will have to look into this in more detail
at the WE.
I have other problems when running with 'security_default_confined = 1' in
qemu.conf, but the changes allow starting unconfined domains.
Cedric remembered this old thread
https://www.redhat.com/archives/libvir-list/2014-October/msg00011.html
Some of those changes have been merged, but the ptrace, dbus, signal, etc. have
not. I used Stefan's changes to the libvirtd profile but still see the same
issue with confined domains
I dug a bit further in that thread to find Stefan's most recent version of the
patches
https://www.redhat.com/archives/libvir-list/2014-October/msg00556.html
I took the ptrace, dbus, signal, etc. changes out of patch 2 and used the
attached patch to successfully start confined domains.
Since a few years have passed, I'm not sure if patch 1 is still relevant. IIUC,
it allows to conditionalize profile content based on apparmor version, which
patch 2 uses to add some stuff if version >= 2.9. 2.9 has been out for a while...
>From e3bb609812776b30acfc0349b25b2e4d539c45c2 Mon Sep 17 00:00:00 2001
From: Jim Fehlig <jfehlig@xxxxxxxx>
Date: Mon, 18 Sep 2017 13:41:26 -0600
Subject: [PATCH] apparmor: support ptrace checks
Kernel 4.13 introduced finer-grained ptrace checks
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
When Apparmor is enabled and libvirtd is confined, attempting to start
a domain fails
virsh start test
error: Failed to start domain test
error: internal error: child reported: Kernel does not provide mount
namespace: Permission denied
The audit log contains
type=AVC msg=audit(1505466699.828:534): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6621
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"
It was also noticed that simply connecting to libvirtd (e.g. virsh list)
resulted in the following entries in the audit log
type=AVC msg=audit(1505755799.975:65): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
type=AVC msg=audit(1505755799.976:66): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=1418
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"
Both Apparmor denials can be fixed by supporting ptrace in the
libvirtd, qemu, and lxc profiles. While at it, also add support
for dbus, signal, and unix.
Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
---
examples/apparmor/libvirt-lxc | 3 +++
examples/apparmor/libvirt-qemu | 3 +++
examples/apparmor/usr.sbin.libvirtd | 6 ++++++
3 files changed, 12 insertions(+)
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 4bfb503aa..0db137de0 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -3,6 +3,9 @@
#include <abstractions/base>
umount,
+ dbus,
+ signal,
+ ptrace,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index dcfb1a598..6a4a2335a 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -170,6 +170,9 @@
@{PROC}/device-tree/** r,
/sys/firmware/devicetree/** r,
+ signal (receive) peer=/usr/sbin/libvirtd,
+ ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index acb59e071..9aadba411 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -36,6 +36,12 @@
network inet6 dgram,
network packet dgram,
network packet raw,
+ network netlink,
+
+ dbus bus=system,
+ signal,
+ ptrace,
+ unix,
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
--
2.14.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
