apparmor: allow libvirt to send term signal to unconfined
Guido Günther
6 years ago
debian/patches/Allow-libvirt-to-kill-unconfined-domaiens.patch
less
more
0 | |
From: intrigeri <intrigeri+libvirt@boum.org>
|
1 | |
Date: Mon, 15 Jan 2018 09:29:47 +0100
|
2 | |
Subject: Allow libvirt to kill unconfined domaiens
|
3 | |
|
4 | |
On startup libvirtd runs a number of QEMU processes unconfined such as:
|
5 | |
|
6 | |
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
|
7 | |
|
8 | |
libvirtd needs to be allowed to kill these processes, otherwise they
|
9 | |
remain running.
|
10 | |
---
|
11 | |
examples/apparmor/usr.sbin.libvirtd | 1 +
|
12 | |
1 file changed, 1 insertion(+)
|
13 | |
|
14 | |
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
|
15 | |
index bd7796c..4d220c2 100644
|
16 | |
--- a/examples/apparmor/usr.sbin.libvirtd
|
17 | |
+++ b/examples/apparmor/usr.sbin.libvirtd
|
18 | |
@@ -63,6 +63,7 @@
|
19 | |
|
20 | |
signal (send) peer=/usr/sbin/dnsmasq,
|
21 | |
signal (read, send) peer=libvirt-*,
|
22 | |
+ signal (send) set=("kill") peer=unconfined,
|
23 | |
|
24 | |
# Very lenient profile for libvirtd since we want to first focus on confining
|
25 | |
# the guests. Guests will have a very restricted profile.
|
|
0 |
From: intrigeri <intrigeri+libvirt@boum.org>
|
|
1 |
Date: Mon, 15 Jan 2018 09:29:47 +0100
|
|
2 |
Subject: Allow libvirt to kill unconfined domains
|
|
3 |
|
|
4 |
On startup libvirtd runs a number of QEMU processes unconfined such as:
|
|
5 |
|
|
6 |
/usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
|
|
7 |
|
|
8 |
libvirtd needs to be allowed to kill these processes, otherwise they
|
|
9 |
remain running.
|
|
10 |
---
|
|
11 |
examples/apparmor/usr.sbin.libvirtd | 1 +
|
|
12 |
1 file changed, 1 insertion(+)
|
|
13 |
|
|
14 |
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
|
|
15 |
index bd7796c..4d220c2 100644
|
|
16 |
--- a/examples/apparmor/usr.sbin.libvirtd
|
|
17 |
+++ b/examples/apparmor/usr.sbin.libvirtd
|
|
18 |
@@ -63,6 +63,7 @@
|
|
19 |
|
|
20 |
signal (send) peer=/usr/sbin/dnsmasq,
|
|
21 |
signal (read, send) peer=libvirt-*,
|
|
22 |
+ signal (send) set=("kill") peer=unconfined,
|
|
23 |
|
|
24 |
# Very lenient profile for libvirtd since we want to first focus on confining
|
|
25 |
# the guests. Guests will have a very restricted profile.
|
|
0 |
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
|
|
1 |
Date: Wed, 17 Jan 2018 16:20:37 +0100
|
|
2 |
Subject: apparmor: allow libvirt to send term signal to unconfined
|
|
3 |
|
|
4 |
Otherwise stopping domains with qemu://session fails like
|
|
5 |
|
|
6 |
[164012.338157] audit: type=1400 audit(1516202208.784:99): apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=18835 comm="libvirtd" requested_mask="send" denied_mask="send" signal=term peer="unconfined"
|
|
7 |
---
|
|
8 |
examples/apparmor/usr.sbin.libvirtd | 2 +-
|
|
9 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
10 |
|
|
11 |
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
|
|
12 |
index 4d220c2..72d7987 100644
|
|
13 |
--- a/examples/apparmor/usr.sbin.libvirtd
|
|
14 |
+++ b/examples/apparmor/usr.sbin.libvirtd
|
|
15 |
@@ -63,7 +63,7 @@
|
|
16 |
|
|
17 |
signal (send) peer=/usr/sbin/dnsmasq,
|
|
18 |
signal (read, send) peer=libvirt-*,
|
|
19 |
- signal (send) set=("kill") peer=unconfined,
|
|
20 |
+ signal (send) set=("kill", "term") peer=unconfined,
|
|
21 |
|
|
22 |
# Very lenient profile for libvirtd since we want to first focus on confining
|
|
23 |
# the guests. Guests will have a very restricted profile.
|
16 | 16 |
Set-defaults-for-zfs-tools.patch
|
17 | 17 |
Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
|
18 | 18 |
apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
|
19 | |
Allow-libvirt-to-kill-unconfined-domaiens.patch
|
|
19 |
Allow-libvirt-to-kill-unconfined-domains.patch
|
|
20 |
apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch
|