Overview

File 8741b943-apparmor-ptrace-rules.patch of Package libvirt.11425

commit 8741b9435108b1f0d87670e44e1ed75f806b7791
Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date:   Fri Aug 24 08:07:39 2018 +0200

    apparmor: fix ptrace rules with kernel 4.18
    
    Due to kernel upstream change 338d0be4 ("apparmor: fix ptrace read check")
    libvirt now hits apparmor denies like:
      apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd"
      pid=4409 comm="libvirtd" requested_mask="read" denied_mask="read"
      peer="libvirt-14e92a75-7668-4b97-8f92-322fc1b9c78a"
    
    Extend the ptrace rule to also allow 'ptrace (read)' for libvirtd to work
    with these newer kernels.
    
    Fixes: https://bugs.launchpad.net/bugs/1788603
    
    Reported-by: Thadeu Lima de Souza Cascardo <thadeu.cascardo@canonical.com>
    Reviewed-by: Erik Skultety <eskultet@redhat.com>
    Acked-by: Jamie Strandboge <jamie@canonical.com>
    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Index: libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-4.0.0.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-4.0.0/examples/apparmor/usr.sbin.libvirtd
@@ -56,10 +56,10 @@
   # for --p2p migrations
   unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
 
-  ptrace (trace) peer=unconfined,
-  ptrace (trace) peer=/usr/sbin/libvirtd,
-  ptrace (trace) peer=/usr/sbin/dnsmasq,
-  ptrace (trace) peer=libvirt-*,
+  ptrace (read,trace) peer=unconfined,
+  ptrace (read,trace) peer=/usr/sbin/libvirtd,
+  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+  ptrace (read,trace) peer=libvirt-*,
 
   signal (send) peer=/usr/sbin/dnsmasq,
   signal (read, send) peer=libvirt-*,
openSUSE Build Service is sponsored by
Places