On Thu, Dec 3, 2020 at 3:58 AM Jim Fehlig <jfehlig@xxxxxxxx> wrote: > > LXC processes confined by apparmor are not permitted to receive signals > from libvirtd. Attempting to destroy such a process fails > > virsh --connect lxc:/// destroy distro_apparmor > error: Failed to destroy domain distro_apparmor > error: Failed to kill process 29491: Permission denied > > And from /var/log/audit/audit.log > > type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED" > operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1" > pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive" > signal=term peer="libvirtd" > > Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc > abstraction allowing reception of signals from libvirtd. Agreed that it is the same rule as in libvirt-qemu and therefore should be rather safe. TBH I did not see the denial when testing 6.9.0 [1], but the pattern is known and therefore I think adding the rule is fine. Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> [1]: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/amd64/libv/libvirt/20201127_105058_4590a@/log.gz > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/apparmor/libvirt-lxc | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc > index e556f2a7bd..0c8b812743 100644 > --- a/src/security/apparmor/libvirt-lxc > +++ b/src/security/apparmor/libvirt-lxc > @@ -1,5 +1,9 @@ > #include <abstractions/base> > > + # Allow receiving signals from libvirtd > + signal (receive) peer=libvirtd, > + signal (receive) peer=/usr/sbin/libvirtd, > + > umount, > > # ignore DENIED message on / remount > -- > 2.29.2 > > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
