Hi Guido and everybody else,
Ubuntu had the feature that went into 4.13 for quite a while so I looked into dropping our rules in favor of the upstream ones.
While doing so I found something yet unclear and filed [1] about it.
TL;DR: The rules "should" not work because they should also have a tracedby rule, but they work.
Jjohansen will let us know when he has looked at it in detail.
The bug I mention here is to track that effort.
P.S. FYI There is something similar ahead for kernel 4.14 which will need a similar rule for signals.
On Mon, Sep 25, 2017 at 12:05 PM, Guido Günther <agx@xxxxxxxxxxx> wrote:
Hi,
I've pushed that patch as is since without the unconfined ptrace we'reOn Sun, Sep 24, 2017 at 02:26:01PM +0200, Guido Günther wrote:
> Hi Jim,
> On Fri, Sep 22, 2017 at 05:02:42PM -0600, Jim Fehlig wrote:
> > Kernel 4.13 introduced finer-grained ptrace checks
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/ linux-stable.git/commit/?h=v4. 13.2&id= 290f458a4f16f9cf6cb6562b249e69 fe1c3c3a07
> >
> > With kernel 4.13 and apparmor 2.11, simply starting libvirtd
> > results in the following apparmor denial
> >
> > type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
> > operation="ptrace" profile="" pid=6984
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="unconfined"
> >
> > Attempting to start an unconfined domain results in
> >
> > type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
> > operation="ptrace" profile="" pid=7498
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="/usr/sbin/libvirtd"
> >
> > And attempting to start a confined domain results in
> >
> > type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
> > operation="open" profile="" name="/etc/libnl/classid"
> > pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
> > operation="open" profile="" name="/etc/libnl/classid"
> > pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
> > fsuid=0 ouid=0
> > type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
> > operation="ptrace" profile="" pid=8342
> > comm="libvirtd" requested_mask="trace" denied_mask="trace"
> > peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
> >
> > Add ptrace rules to allow the trace operations.
> >
> > Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
> > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> > ---
> >
> > V3:
> > fix ptrace rule for per-domain profiles
> >
> > V2:
> > restrict ptrace permissions
> > drop support for dbus, signal, and unix
> >
> > examples/apparmor/usr.sbin.libvirtd | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin. libvirtd
> > index acb59e071..fa4ebb355 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -37,6 +37,10 @@
> > network packet dgram,
> > network packet raw,
> >
> > + ptrace (trace) peer=unconfined,
> > + ptrace (trace) peer=/usr/sbin/libvirtd,
> > + ptrace (trace) peer=libvirt-*,
> > +
>
> This works here too! And I can even drop the first rule (ptrace (trace)
> peer=unconfined) and things still work (and from reading the profile and
> Jamies explanations it should work without it). Can you check if that
> works for you too? Otherwise:
>
> Reviewed-By: Guido Günther <agx@xxxxxxxxxxx>
seeing denials with gnome-boxes and virsh.
Cheers,
-- Guido
>
>
> > # Very lenient profile for libvirtd since we want to first focus on confining
> > # the guests. Guests will have a very restricted profile.
> > / r,
> > --
> > 2.14.1
> >
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
