1. 25 9月, 2017 1 次提交
    • J
      apparmor: support ptrace checks · b482925c
      Jim Fehlig 提交于
      Kernel 4.13 introduced finer-grained ptrace checks
      
      https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07
      
      With kernel 4.13 and apparmor 2.11, simply starting libvirtd
      results in the following apparmor denial
      
      type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
      operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
      comm="libvirtd" requested_mask="trace" denied_mask="trace"
      peer="unconfined"
      
      Attempting to start an unconfined domain results in
      
      type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
      operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
      comm="libvirtd" requested_mask="trace" denied_mask="trace"
      peer="/usr/sbin/libvirtd"
      
      And attempting to start a confined domain results in
      
      type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
      operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
      pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
      fsuid=0 ouid=0
      type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
      operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
      pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
      fsuid=0 ouid=0
      type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
      operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
      comm="libvirtd" requested_mask="trace" denied_mask="trace"
      peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"
      
      Add ptrace rules to allow the trace operations.
      
      Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      Reviewed-by: NGuido Günther <agx@sigxcpu.org>
      b482925c
  2. 22 9月, 2017 12 次提交
  3. 21 9月, 2017 16 次提交
  4. 20 9月, 2017 11 次提交