External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-11 12:25:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
e371b3bf41
libvirt/examples
History
Jim Fehlig c44b29aacb apparmor: add dnsmasq ptrace rule to libvirtd profile 
Commit b482925c added ptrace rule for the apparmor profiles,
but one was missed in the libvirtd profile for dnsmasq. It was
overlooked since the test machine did not have an active libvirt
network requiring dnsmasq that was also set to autostart. With
one active and set to autostart, the following denial is observed
in audit.log when restarting libvirtd

type=AVC msg=audit(1507320136.306:298): apparmor="DENIED" \
operation="ptrace" profile="/usr/sbin/libvirtd" pid=5472 \
comm="libvirtd" requested_mask="trace" denied_mask="trace" \
peer="/usr/sbin/dnsmasq"

With an active network, I suspect a libvirtd restart causes access
to /proc/<dnsmasq-pid>/*, hence the resulting denial. As a nasty
side affect of the denial, libvirtd thinks it needs to spawn a
dnsmasq process even though one is already running for the network.
E.g. after two libvirtd restarts

dnsmasq   1683  0.0  0.0  51188  2612 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      1684  0.0  0.0  51160   576 ?        S    12:03   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4706  0.0  0.0  51188  2572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4707  0.0  0.0  51160   572 ?        S    13:54   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
dnsmasq   4791  0.0  0.0  51188  2580 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper
root      4792  0.0  0.0  51160   572 ?        S    13:56   0:00 \
 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf \
 --leasefile-ro --dhcp-script=/usr/lib64/libvirt/libvirt_leaseshelper

A simple fix is to add a ptrace rule for dnsmasq.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
2017-10-06 16:39:15 -06:00
..
admin examples: Resolve sign-compare warnings 2016-12-20 13:11:25 +01:00
apparmor apparmor: add dnsmasq ptrace rule to libvirtd profile 2017-10-06 16:39:15 -06:00
dominfo examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
dommigrate examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
domsuspend examples: Resolve sign-compare warnings 2016-12-20 13:11:25 +01:00
domtop examples: Resolve sign-compare warnings 2016-12-20 13:11:25 +01:00
hellolibvirt examples: Resolve sign-compare warnings 2016-12-20 13:11:25 +01:00
lxcconvert examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
object-events storage: Add new events for *PoolBuild() and *PoolDelete(). 2017-09-20 11:52:56 +02:00
openauth lib: Fix c99 style comments 2017-04-27 14:13:19 +02:00
polkit examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
rename examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
systemtap examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
xml examples: Use one top level makefile 2016-01-09 21:14:12 -05:00
Makefile.am admin: Add an example demonstrating how to use the logging APIs 2016-12-15 10:36:23 +01:00