File 8741b943-apparmor-ptrace-rules.patch of Package libvirt.11425
commit 8741b9435108b1f0d87670e44e1ed75f806b7791
Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Fri Aug 24 08:07:39 2018 +0200
apparmor: fix ptrace rules with kernel 4.18
Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check")
libvirt now hits apparmor denies like:
apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work
with these newer kernels.
Fixes: https://bugs.launchpad.net/bugs/1788603
Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Index: libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-4.0.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
@@ -56,10 +56,10 @@
# for --p2p migrations
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
- ptrace (trace) peer=unconfined,
- ptrace (trace) peer=/usr/sbin/libvirtd,
- ptrace (trace) peer=/usr/sbin/dnsmasq,
- ptrace (trace) peer=libvirt-*,
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
signal (send) peer=/usr/sbin/dnsmasq,
signal (read, send) peer=libvirt-*,