Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check")
libvirt now hits apparmor denies like:
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work
with these newer kernels.
Fixes: https://bugs.launchpad.net/bugs/1788603
Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 80e348b7ee..f0ffc53008 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -50,10 +50,10 @@
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
- ptrace (trace) peer=unconfined,
- ptrace (trace) peer=/usr/sbin/libvirtd,
- ptrace (trace) peer=/usr/sbin/dnsmasq,
- ptrace (trace) peer=libvirt-*,
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
--
2.17.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, Aug 24, 2018 at 08:12:11AM +0200, Christian Ehrhardt wrote: > Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check") > libvirt now hits apparmor denies like: > apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" > pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read" > peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a" > > Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work > with these newer kernels. > > Fixes: https://bugs.launchpad.net/bugs/1788603 > > Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- Reviewed-by: Erik Skultety <eskultet@redhat.com> -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote: > Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read > check") > libvirt now hits apparmor denies like: > apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" > pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read" > peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a" > > Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to > work > with these newer kernels. > > Fixes: https://bugs.launchpad.net/bugs/1788603 > > Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical > .com> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > examples/apparmor/usr.sbin.libvirtd | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/examples/apparmor/usr.sbin.libvirtd > b/examples/apparmor/usr.sbin.libvirtd > index 80e348b7ee..f0ffc53008 100644 > --- a/examples/apparmor/usr.sbin.libvirtd > +++ b/examples/apparmor/usr.sbin.libvirtd > @@ -50,10 +50,10 @@ > # for --p2p migrations > unix (send, receive) type=stream addr=none peer=(label=unconfined > addr=none), > > - ptrace (trace) peer=unconfined, > - ptrace (trace) peer=/usr/sbin/libvirtd, > - ptrace (trace) peer=/usr/sbin/dnsmasq, > - ptrace (trace) peer=libvirt-*, > + ptrace (read,trace) peer=unconfined, > + ptrace (read,trace) peer=/usr/sbin/libvirtd, > + ptrace (read,trace) peer=/usr/sbin/dnsmasq, > + ptrace (read,trace) peer=libvirt-*, LGTM. +1 to apply -- Jamie Strandboge | http://www.canonical.com-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, Aug 24, 2018 at 5:59 PM Jamie Strandboge <jamie@canonical.com> wrote: > On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote: > > Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read > > check") > > libvirt now hits apparmor denies like: > > apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" > > pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read" > > peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a" > > > > Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to > > work > > with these newer kernels. > > > > Fixes: https://bugs.launchpad.net/bugs/1788603 > > > > Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical > > .com> > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> > > --- > > examples/apparmor/usr.sbin.libvirtd | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/examples/apparmor/usr.sbin.libvirtd > > b/examples/apparmor/usr.sbin.libvirtd > > index 80e348b7ee..f0ffc53008 100644 > > --- a/examples/apparmor/usr.sbin.libvirtd > > +++ b/examples/apparmor/usr.sbin.libvirtd > > @@ -50,10 +50,10 @@ > > # for --p2p migrations > > unix (send, receive) type=stream addr=none peer=(label=unconfined > > addr=none), > > > > - ptrace (trace) peer=unconfined, > > - ptrace (trace) peer=/usr/sbin/libvirtd, > > - ptrace (trace) peer=/usr/sbin/dnsmasq, > > - ptrace (trace) peer=libvirt-*, > > + ptrace (read,trace) peer=unconfined, > > + ptrace (read,trace) peer=/usr/sbin/libvirtd, > > + ptrace (read,trace) peer=/usr/sbin/dnsmasq, > > + ptrace (read,trace) peer=libvirt-*, > > LGTM. +1 to apply > Thanks for your Review Erik and Jamie, added and pushed to master now. -- > Jamie Strandboge | http://www.canonical.com -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.