[Pkg-libvirt-maintainers] Bug#878153: libvirt-daemon-system: frequent AppArmor denials for ptrace of some unconfined process

Tue Oct 10 13:54:50 UTC 2017

Package: libvirt-daemon-system
Version: 3.7.0-4
Severity: normal

In recent uses of libvirtd (I would guess the last couple of weeks) I get
frequent AppArmor denials from libvirtd attempting to trace some
unconfined process:

Oct 10 14:35:58 perpetual kernel: audit: type=1400 audit(1507642558.099:2336): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=14324 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"
Oct 10 14:35:58 perpetual kernel: audit: type=1400 audit(1507642558.099:2337): apparmor="DENIED" operation="ptrace" profile="/usr/sbin/libvirtd" pid=14324 comm="libvirtd" requested_mask="trace" denied_mask="trace" peer="unconfined"

Unfortunately, AppArmor logs the system call that caused the denial for
some operations, but apparently not for this one; so we can't know
anything about the target process.

Some clues: I only get these when a VM is running. With one session://
VM and no system:// VMs running, I get these denials in consecutive pairs,
one pair every 3 seconds.

I believe this indicates either an actual ptrace operation, or mutating
process state by writing into /proc (which is also audited as "ptrace"
under at least some kernel versions). requested_mask="trace" indicates
that libvirtd is trying to write or change the state of some other,
unconfined process, as opposed to reading state which would be
requested_mask="read", or being traced by an unconfined process which
would be requested_mask="tracedby" or requested_mask="readby".

A workaround is to add this to the AppArmor profile (although this does
let libvirtd trace unconfined processes like for example dbus-daemon and
network-manager, which would be bad if there is meant to be a security
boundary between them):

    ptrace peer=unconfined,

This might be https://www.redhat.com/archives/libvir-list/2017-September/msg00546.html
in which case it's fixed in 3.8.0. If so, I'll close this when I've
upgraded.

Regards,
    smcv

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.116
ii  debconf              1.5.63
ii  firewalld            0.4.4.5-2
ii  gettext-base         0.19.8.1-4
ii  init-system-helpers  1.49
ii  iptables             1.6.1-2
ii  libacl1              2.2.52-3+b1
ii  libapparmor1         2.11.0-11
ii  libaudit1            1:2.7.8-1
ii  libblkid1            2.30.2-0.1
ii  libc6                2.24-17
ii  libcap-ng0           0.7.7-3.1
ii  libdbus-1-3          1.11.20-1
ii  libdevmapper1.02.1   2:1.02.142-1
ii  libnl-3-200          3.2.27-2
ii  libnl-route-3-200    3.2.27-2
ii  libnuma1             2.0.11-2.1
ii  libselinux1          2.7-2
ii  libvirt-clients      3.7.0-4
ii  libvirt-daemon       3.7.0-4
ii  libvirt0             3.7.0-4
ii  libxml2              2.9.4+dfsg1-4
ii  libyajl2             2.1.0-2+b3
ii  logrotate            3.11.0-0.1
ii  lsb-base             9.20170808
ii  policykit-1          0.105-18

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-14
ii  dmidecode     3.1-1
ii  dnsmasq-base  2.78-1
ii  ebtables      2.0.10.4-3.5+b1
ii  iproute2      4.9.0-2
ii  parted        3.2-17

Versions of packages libvirt-daemon-system suggests:
ii  apparmor    2.11.0-11
pn  auditd      <none>
pn  nfs-common  <none>
ii  pm-utils    1.4.1-17
pn  radvd       <none>
ii  systemd     234-3
pn  systemtap   <none>
pn  zfsutils    <none>

-- Configuration Files:
/etc/default/libvirt-guests changed [not included]
/etc/libvirt/libvirtd.conf changed [not included]
/etc/libvirt/nwfilter/allow-arp.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-arp.xml'
/etc/libvirt/nwfilter/allow-dhcp-server.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-dhcp-server.xml'
/etc/libvirt/nwfilter/allow-dhcp.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-dhcp.xml'
/etc/libvirt/nwfilter/allow-incoming-ipv4.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-incoming-ipv4.xml'
/etc/libvirt/nwfilter/allow-ipv4.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/allow-ipv4.xml'
/etc/libvirt/nwfilter/clean-traffic.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/clean-traffic.xml'
/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-arp-spoofing.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-arp-spoofing.xml'
/etc/libvirt/nwfilter/no-ip-multicast.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-ip-multicast.xml'
/etc/libvirt/nwfilter/no-ip-spoofing.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-ip-spoofing.xml'
/etc/libvirt/nwfilter/no-mac-broadcast.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-mac-broadcast.xml'
/etc/libvirt/nwfilter/no-mac-spoofing.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-mac-spoofing.xml'
/etc/libvirt/nwfilter/no-other-l2-traffic.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-other-l2-traffic.xml'
/etc/libvirt/nwfilter/no-other-rarp-traffic.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/no-other-rarp-traffic.xml'
/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/qemu-announce-self-rarp.xml'
/etc/libvirt/nwfilter/qemu-announce-self.xml [Errno 13] Permission denied: '/etc/libvirt/nwfilter/qemu-announce-self.xml'
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'
/etc/libvirt/qemu/networks/default.xml [Errno 13] Permission denied: '/etc/libvirt/qemu/networks/default.xml'

-- debconf information:
  libvirt-daemon-system/id_warning: true