[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] apparmor: fix ptrace rules with kernel 4.18





On Fri, Aug 24, 2018 at 5:59 PM Jamie Strandboge <jamie canonical com> wrote:
On Fri, 2018-08-24 at 08:12 +0200, Christian Ehrhardt wrote:
> Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read
> check")
> libvirt now hits apparmor denies like:
>   apparmor="DENIED" operation="ptrace" profile=""> >   pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
>   peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
>
> Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to
> work
> with these newer kernels.
>
> Fixes: https://bugs.launchpad.net/bugs/1788603
>
> Reported-by: Thadeu Lima de Souza Cascardo <thadeu cascardo canonical
> .com>
> Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
> ---
>  examples/apparmor/usr.sbin.libvirtd | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 80e348b7ee..f0ffc53008 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -50,10 +50,10 @@
>    # for --p2p migrations
>    unix (send, receive) type=stream addr=none peer=(label=unconfined
> addr=none),

> -  ptrace (trace) peer=unconfined,
> -  ptrace (trace) peer=/usr/sbin/libvirtd,
> -  ptrace (trace) peer=/usr/sbin/dnsmasq,
> -  ptrace (trace) peer=libvirt-*,
> +  ptrace (read,trace) peer=unconfined,
> +  ptrace (read,trace) peer=/usr/sbin/libvirtd,
> +  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> +  ptrace (read,trace) peer=libvirt-*,

LGTM. +1 to apply
 
Thanks for your Review Erik and Jamie,
added and pushed to master now.

--
Jamie Strandboge             | http://www.canonical.com


--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]