Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check")
libvirt now hits apparmor denies like:
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work
with these newer kernels.
Fixes: https://bugs.launchpad.net/bugs/1788603
Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/usr.sbin.libvirtd | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index 80e348b7ee..f0ffc53008 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -50,10 +50,10 @@
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
- ptrace (trace) peer=unconfined,
- ptrace (trace) peer=/usr/sbin/libvirtd,
- ptrace (trace) peer=/usr/sbin/dnsmasq,
- ptrace (trace) peer=libvirt-*,
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,
--
2.17.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, Aug 24, 2018 at 08:12:11AM +0200, Christian Ehrhardt wrote:
> Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check")
> libvirt now hits apparmor denies like:
> apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
> pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
> peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
>
> Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work
> with these newer kernels.
>
> Fixes: https://bugs.launchpad.net/bugs/1788603
>
> Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
Reviewed-by: Erik Skultety <eskultet@redhat.com>
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote:
> Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read
> check")
> libvirt now hits apparmor denies like:
> apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
> pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
> peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
>
> Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to
> work
> with these newer kernels.
>
> Fixes: https://bugs.launchpad.net/bugs/1788603
>
> Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical
> .com>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> examples/apparmor/usr.sbin.libvirtd | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 80e348b7ee..f0ffc53008 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -50,10 +50,10 @@
> # for --p2p migrations
> unix (send, receive) type=stream addr=none peer=(label=unconfined
> addr=none),
>
> - ptrace (trace) peer=unconfined,
> - ptrace (trace) peer=/usr/sbin/libvirtd,
> - ptrace (trace) peer=/usr/sbin/dnsmasq,
> - ptrace (trace) peer=libvirt-*,
> + ptrace (read,trace) peer=unconfined,
> + ptrace (read,trace) peer=/usr/sbin/libvirtd,
> + ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> + ptrace (read,trace) peer=libvirt-*,
LGTM. +1 to apply
--
Jamie Strandboge | http://www.canonical.com--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Fri, Aug 24, 2018 at 5:59 PM Jamie Strandboge <jamie@canonical.com>
wrote:
> On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote:
> > Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read
> > check")
> > libvirt now hits apparmor denies like:
> > apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
> > pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
> > peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
> >
> > Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to
> > work
> > with these newer kernels.
> >
> > Fixes: https://bugs.launchpad.net/bugs/1788603
> >
> > Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical
> > .com>
> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> > ---
> > examples/apparmor/usr.sbin.libvirtd | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/examples/apparmor/usr.sbin.libvirtd
> > b/examples/apparmor/usr.sbin.libvirtd
> > index 80e348b7ee..f0ffc53008 100644
> > --- a/examples/apparmor/usr.sbin.libvirtd
> > +++ b/examples/apparmor/usr.sbin.libvirtd
> > @@ -50,10 +50,10 @@
> > # for --p2p migrations
> > unix (send, receive) type=stream addr=none peer=(label=unconfined
> > addr=none),
> >
> > - ptrace (trace) peer=unconfined,
> > - ptrace (trace) peer=/usr/sbin/libvirtd,
> > - ptrace (trace) peer=/usr/sbin/dnsmasq,
> > - ptrace (trace) peer=libvirt-*,
> > + ptrace (read,trace) peer=unconfined,
> > + ptrace (read,trace) peer=/usr/sbin/libvirtd,
> > + ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> > + ptrace (read,trace) peer=libvirt-*,
>
> LGTM. +1 to apply
>
Thanks for your Review Erik and Jamie,
added and pushed to master now.
--
> Jamie Strandboge | http://www.canonical.com
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.