Overview

File 0d05d51b-apparmor-lxc-fix.patch of Package libvirt.22291

commit 0d05d51b715390e08cd112f83e03b6776412aaeb
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Wed Dec 2 16:24:21 2020 -0700

    apparmor: Allow lxc processes to receive signals from libvirt
    
    LXC processes confined by apparmor are not permitted to receive signals
    from libvirtd. Attempting to destroy such a process fails
    
    virsh --connect lxc:/// destroy distro_apparmor
     error: Failed to destroy domain distro_apparmor
     error: Failed to kill process 29491: Permission denied
    
    And from /var/log/audit/audit.log
    
    type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
    operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
    pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
    signal=term peer="libvirtd"
    
    Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
    abstraction allowing reception of signals from libvirtd.
    
    Signed-off-by: Jim Fehlig <jfehlig@suse.com>
    Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Index: libvirt-6.0.0/src/security/apparmor/libvirt-lxc
===================================================================
--- libvirt-6.0.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-6.0.0/src/security/apparmor/libvirt-lxc
@@ -2,6 +2,10 @@
 
   #include <abstractions/base>
 
+ # Allow receiving signals from libvirtd
+  signal (receive) peer=libvirtd,
+  signal (receive) peer=/usr/sbin/libvirtd,
+
   umount,
 
   # ignore DENIED message on / remount
openSUSE Build Service is sponsored by
Places