[libvirt] [PATCH] apparmor: add dnsmasq ptrace rule to libvirtd profile

Jim Fehlig jfehlig at suse.com
Fri Oct 6 22:42:05 UTC 2017 

On 10/06/2017 04:04 PM, Guido Günther wrote:
> Hi,
> On Fri, Oct 06, 2017 at 02:58:10PM -0600, Jim Fehlig wrote:
>> Commit b482925c added ptrace rule for the apparmor profiles,
>> but one was missed in the libvirtd profile for dnsmasq. It was
>> overlooked since the test machine did not have an active libvirt
>> network requiring dnsmasq that was also set to autostart. With
>> one active and set to autostart, the following denial is observed
>> in audit.log when restarting libvirtd
>>
>> type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
>> operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
>> comm="libvirtd" requested_mask="trace" denied_mask="trace" \
>> peer="/usr/sbin/dnsmasq"
>>
>> With an active network, I suspect a libvirtd restart causes access
>> to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
>> side affect of the denial, libvirtd thinks it needs to spawn a
>> dnsmasq process even though one is already running for the network.
>> E.g. after two libvirtd restarts
>>
>> dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>> root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
>>   /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
>>   --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
>>
>> A simple fix is to add a ptrace rule for dnsmasq.
>>
>> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
>> ---
>>   examples/apparmor/usr.sbin.libvirtd | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
>> index fa4ebb355..819068ffc 100644
>> --- a/examples/apparmor/usr.sbin.libvirtd
>> +++ b/examples/apparmor/usr.sbin.libvirtd
>> @@ -39,6 +39,7 @@
>>   
>>     ptrace (trace) peer=unconfined,
>>     ptrace (trace) peer=/usr/sbin/libvirtd,
>> +  ptrace (trace) peer=/usr/sbin/dnsmasq,
>>     ptrace (trace) peer=libvirt-*,
>>   
>>     # Very lenient profile for libvirtd since we want to first focus on
>>     confining
> 
> Reviewed-By: Guido Günther <agx at sigxcpu.org>

Thanks, pushed.

Regards,
Jim

More information about the libvir-list mailing list