Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt
切换分支/标签
查找文件 Blame历史永久链接Permalink
  • J
    apparmor: add dnsmasq ptrace rule to libvirtd profile · c44b29aa
    Jim Fehlig 提交于 
    Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd

type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
peer="/usr/sbin/dnsmasq"

With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts

dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper

A simple fix is to add a ptrace rule for dnsmasq.
Signed-off-by: NJim Fehlig <jfehlig@suse.com>
Reviewed-By: NGuido Günther <agx@sigxcpu.org>
    c44b29aa
usr.sbin.libvirtd 2.5 KB