git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Jim Fehlig <jfehlig@suse.com>
	Wed, 2 Dec 2020 23:24:21 +0000 (16:24 -0700)
committer	Jim Fehlig <jfehlig@suse.com>
	Thu, 3 Dec 2020 23:38:33 +0000 (16:38 -0700)
commit	0d05d51b715390e08cd112f83e03b6776412aaeb
tree	d06c57c0cfffecf57fbd2b04a35ef72628838def	tree \| snapshot
parent	d2010be4792efdb03af453ed97ae671bab2a351a	commit \| diff

apparmor: Allow lxc processes to receive signals from libvirt

LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails

virsh --connect lxc:/// destroy distro_apparmor
error: Failed to destroy domain distro_apparmor
error: Failed to kill process 29491: Permission denied

And from /var/log/audit/audit.log

type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"

Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>