libvirt/src/security
Jim Fehlig 0d05d51b71 apparmor: Allow lxc processes to receive signals from libvirt
LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails

virsh --connect lxc:/// destroy distro_apparmor
 error: Failed to destroy domain distro_apparmor
 error: Failed to kill process 29491: Permission denied

And from /var/log/audit/audit.log

type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"

Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2020-12-03 16:38:33 -07:00
..
apparmor apparmor: Allow lxc processes to receive signals from libvirt 2020-12-03 16:38:33 -07:00
meson.build meson: src/security: install apparmor profile files 2020-08-03 09:27:05 +02:00
security_apparmor.c security: use g_new0 instead of VIR_ALLOC* 2020-10-01 12:34:13 +02:00
security_apparmor.h
security_dac.c security: use g_new0 instead of VIR_ALLOC* 2020-10-01 12:34:13 +02:00
security_dac.h
security_driver.c
security_driver.h secdrivers: Rename @stdin_path argument of virSecurityDomainSetAllLabel() 2020-07-10 14:20:07 +02:00
security_manager.c security: use g_new0 instead of VIR_ALLOC* 2020-10-01 12:34:13 +02:00
security_manager.h secdrivers: Rename @stdin_path argument of virSecurityDomainSetAllLabel() 2020-07-10 14:20:07 +02:00
security_nop.c secdrivers: Rename @stdin_path argument of virSecurityDomainSetAllLabel() 2020-07-10 14:20:07 +02:00
security_nop.h
security_selinux.c util: hash: Retire 'virHashTable' in favor of 'GHashTable' 2020-11-06 10:40:51 +01:00
security_selinux.h
security_stack.c security: use g_new0 instead of VIR_ALLOC* 2020-10-01 12:34:13 +02:00
security_stack.h
security_util.c qemusecuritytest: Skip on non supported platforms 2020-11-06 09:14:53 +01:00
security_util.h qemusecuritytest: Skip on non supported platforms 2020-11-06 09:14:53 +01:00
virt-aa-helper.c virt-aa-helper: allow hard links for mounts 2020-10-26 09:04:48 +01:00