Commit Graph

23 Commits

Author SHA1 Message Date
Guido Günther
7edcbd02aa apparmor: allow libvirt to send term signal to unconfined
Otherwise stopping domains with qemu://session fails like

[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
2018-02-06 17:26:29 +01:00
intrigeri
904cdd09bc On startup libvirtd runs a number of QEMU processes unconfined such as:
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize

libvirtd needs to be allowed to kill these processes, otherwise they
remain running.
2018-01-17 16:28:27 +01:00
Jamie Strandboge
dfd960bca6 apparmor, libvirtd: Allow ixr to /var/lib/libvirt/virtd*
This is required for the ebtables functionality added in
libvirt 0.8.0.

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2018-01-09 10:08:22 +01:00
Christian Ehrhardt
8f882cf36e apparmor: allow unix stream for p2p migrations
On live migration with --p2p like:
 $ virsh migrate --live --p2p kvmguest-bionic-normal \
       qemu+ssh://10.6.221.80/system

We hit an apparmor deny like:
  apparmor="DENIED" operation="file_inherit"
  profile="/usr/sbin/libvirtd" pid=23477 comm="ssh" family="unix"
  sock_type="stream" protocol=0 requested_mask="send receive"
  denied_mask="send" addr=none peer_addr=none peer="unconfined"

The rule is not perfect, but can't be restricted further at the moment
(new upstream kernel features needed). For now the lack of a profile on the
peer as well as comm not being a conditional on rules do not allow to filter
further.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-01-03 09:45:21 +01:00
intrigeri
3343ab0cd9 AppArmor: add mount rules needed with additional mediation features brought by Linux 4.14
This set of rules was proposed by Christian Boltz <apparmor@cboltz.de>
on https://bugzilla.opensuse.org/show_bug.cgi?id=1065123.
2017-11-19 19:16:27 +01:00
intrigeri
3b1d19e6c9 AppArmor: add rules needed with additional mediation features brought by Linux 4.14. 2017-11-19 19:16:27 +01:00
Jim Fehlig
c44b29aacb apparmor: add dnsmasq ptrace rule to libvirtd profile
Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd

type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
peer="/usr/sbin/dnsmasq"

With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts

dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper

A simple fix is to add a ptrace rule for dnsmasq.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
2017-10-06 16:39:15 -06:00
Jim Fehlig
b482925c22 apparmor: support ptrace checks
Kernel 4.13 introduced finer-grained ptrace checks

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.13.2&id=290f458a4f16f9cf6cb6562b249e69fe1c3c3a07

With kernel 4.13 and apparmor 2.11, simply starting libvirtd
results in the following apparmor denial

type=AVC msg=audit(1506112085.645:954): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=6984
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="unconfined"

Attempting to start an unconfined domain results in

type=AVC msg=audit(1506112301.227:1112): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=7498
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="/usr/sbin/libvirtd"

And attempting to start a confined domain results in

type=AVC msg=audit(1506112631.408:1312): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8283 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112631.530:1319): apparmor="DENIED"
operation="open" profile="virt-aa-helper" name="/etc/libnl/classid"
pid=8289 comm="virt-aa-helper" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
type=AVC msg=audit(1506112632.186:1324): apparmor="DENIED"
operation="ptrace" profile="/usr/sbin/libvirtd" pid=8342
comm="libvirtd" requested_mask="trace" denied_mask="trace"
peer="libvirt-66154842-e926-4f92-92f0-1c1bf61dd1ff"

Add ptrace rules to allow the trace operations.

Resolves: https://bugzilla.suse.com/show_bug.cgi?id=1058847
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Guido Günther <agx@sigxcpu.org>
2017-09-25 12:03:35 +02:00
Stefan Bader
5b4d46a95e apparmor, libvirtd: Allow libxl-save-helper to run on Debian/Ubuntu
On Debian/Ubuntu the libxl-save-helper (used when saving/restoring
a domain through libxl) is located under /usr/lib/xen-<version>/bin.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1334195

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2017-06-16 10:38:52 +02:00
Guido Günther
123cc3e11c apparmor: allow /usr/lib/qemu/qemu-bridge-helper
This is where e.g. Debian puts it.
2017-03-17 09:59:42 +01:00
Guido Günther
1a9148fbdf apparmor: pass attach_disconnected
to cure

 + virsh lxc-enter-namespace --noseclabel sl /bin/ls /bin/ls
 libvirt:  error : Expected at least one file descriptor
 error: internal error: Child process (2714) unexpected exit status 125

caused by

 apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/libvirtd" name="" pid=1422 comm="libvirtd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2016-12-21 06:26:31 +01:00
intrigeri
de79efdeb8 AppArmor policy: support merged-/usr.
Acked-by: Christian Ehrhardt <christian.ehrhardt@canonical.co>
2016-12-12 14:08:35 +00:00
Cédric Bosdonnat
f03013c212 apparmor: move qemu-bridge-helper to libvirtd profile
qemu-bridge-helper is only called from libvirtd, it has to be moved
from the qemu domain abstraction to the usr.sbin.libvirtd profile.
2016-09-26 13:23:01 +02:00
Guido Günther
2e34cb5463 apparmor: Don't scrub environment of virtlogd process
otherwise we drop variables like XDG_RUNTIME_DIR with qemu:///session
and libvirtd faild to find virtlogd's socket.
2016-06-12 13:36:28 +02:00
Mike Latimer
338b07afa9 Grant access to helpers
Apparmor must not prevent access to required helper programs. The following
helpers should be allowed to run in unconfined execution mode:

 - libvirt_parthelper
 - libvirt_iohelper
2015-01-23 11:12:44 +01:00
Mike Latimer
c0273cd6f2 Fix apparmor issues for tck
The network and nwfilter tests contained in the libvirt-TCK testkit can fail
unless access to raw network packets is granted. Without this access, the
following apparmor error can be seen while running the tests:

  apparmor="DENIED" operation="create" parent=1 profile="/usr/sbin/libvirtd"
  pid=94731 comm="libvirtd" family="packet" sock_type="raw" protocol=768
2015-01-23 11:12:04 +01:00
Mike Latimer
b61fb8e8af Fix apparmor issues for Xen
In order for apparmor to work properly in Xen environments, the following
access rights need to be allowed:

 - Allow CAP_SYS_PACCT, which is required when resetting some multi-port
   Broadcom cards by writting to the PCI config space

 - Allow CAP_IPC_LOCK, which is required to lock/unlock memory. Without
   this setting, an error 'Resource temporarily unavailable' can be seen
   while attempting to mmap memory. At the same time, the following
   apparmor message is seen:

   apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/libvirtd"
   pid=2097 comm="libvirtd" pid=2097 comm="libvirtd" capability=14
   capname="ipc_lock"

 - Allow access to distribution specific directories:
     /usr/{lib,lib64}/xen/bin
2015-01-23 11:11:53 +01:00
Cedric Bosdonnat
30c6aecc44 Teach AppArmor, that /usr/lib64 may exist.
The apparmor profiles forgot about /usr/lib64 folders, just add lib64
as a possible alternative to lib in the paths
2015-01-05 09:46:35 +01:00
Cédric Bosdonnat
74e86b6b25 Fix apparmor profile to make vfio pci passthrough work
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-27 09:09:23 -06:00
Felix Geyer
f88a3d9b0c apparmor: Improve profiles
Tested on Debian unstable.
The profile updates are partly taken from the Ubuntu trusty libvirt package.

Signed-off-by: Guido Günther <agx@sigxcpu.org>
2014-02-07 19:16:51 +01:00
Jamie Strandboge
2df320609a Improve the apparmor example
* examples/apparmor/libvirt-qemu examples/apparmor/usr.sbin.libvirtd
  examples/apparmor/usr.lib.libvirt.virt-aa-helper: Update the examples
2010-04-06 23:01:24 +02:00
Jamie Strandboge
a8a560dd3a AppArmor updates of examples
* examples/apparmor/libvirt-qemu: adds pulseaudio, alsa and preliminary
  save/restore to the example apparmor abstraction
* examples/apparmor/usr.sbin.libvirtd: allows libvirtd access to inet
  dgram, inet6 dgram, inet6 stream and /usr/lib/libvirt/*
2009-11-13 15:32:55 +01:00
Jamie Strandboge
624a7927f0 Documentation and examples for SVirt Apparmor driver
* docs/drvqemu.html.in: include documentation for AppArmor sVirt
  confinement
* examples/apparmor/TEMPLATE examples/apparmor/libvirt-qemu
  examples/apparmor/usr.lib.libvirt.virt-aa-helper
  examples/apparmor/usr.sbin.libvirtd: example templates and
  configuration files for SVirt Apparmor when using KVM/QEmu
2009-10-08 16:42:05 +02:00