Re: [libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

Hi, Jamie Strandboge: > These rules are unfortunate, but it is important to note that this is > in the libvirtd profile, not the guest profiles. As mentioned in the > contextual diff, the profile is intentionally very lenient since > libvirtd is necessarily highly trusted. As Christian mentioned,

Re: [libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

On Fri, 2017-12-15 at 08:52 +0100, Christian Ehrhardt wrote: > If a guest runs unconfined , but libvirtd is > confined then the peer for signal/ptrace can only be detected as > 'unconfined'. That triggers issues like: >apparmor="DENIED" operation="signal" >profile="/usr/sbin/libvirtd"

[libvirt] [PATCH] apparmor: add ptrace/mediation rules for unconfined guests

If a guest runs unconfined , but libvirtd is confined then the peer for signal/ptrace can only be detected as 'unconfined'. That triggers issues like: apparmor="DENIED" operation="signal" profile="/usr/sbin/libvirtd" pid=22395 comm="libvirtd" requested_mask="send" denied_mask="send"