On 18.10.2014 23:12, intrigeri wrote: > Hi, > > Daniel P. Berrange wrote (01 Oct 2014 14:54:43 GMT) : >> Agreed, the libvirt upstream distributed file should do version checks >> based on official apparmor releases, and distros can tweak versions if >> they have backported features. > > So, it seems that we've reached a consensus that adding version > checking machinery makes sense. Great :) > > Stefan, do you plan to implement it? One way to go could be to > implement and upload it first in Ubuntu: the rest of the delta is > already there anyway, so it's not as if it changed the current > situation much; and then, it also makes it easy to test the version > checks on Debian, for added confidence, before submitting the > patch upstream. > > Note: once this machinery is in place, ideally distros should rebuild > their libvirt binary packages when they introduce new AppArmor parser > features -- which is effectively a transition, in Debian-speak. > > Cheers, > Yeah, I actually did but it felt a bit hackish but then I am told anything looks a bit hackish when it involves autoconf. These are again against upstream libvirt mostly because the last touch timestamps always clash otherwise. I tried to do two steps, one introducing the machinery and the second to add the changes. That way the vast looking delta of the first patch boils down to mostly renames. -Stefan
From 5d0c61d3e9df6a4f58ac933d1fadc9b36eff2dce Mon Sep 17 00:00:00 2001 From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Date: Mon, 13 Oct 2014 11:31:59 +0200 Subject: [PATCH 1/2] examples/apparmor: Add ability to add versioned features Adds APPARMOR_VERSION_NUMBER to config.h which by default is set to the apparmor library version (<major>*1000+<minor). It can be overriden by the distro by supplyig --with-apparmor-profiles-version=<version>. Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> --- configure.ac | 22 ++++ examples/apparmor/Makefile.am | 3 + examples/apparmor/libvirt-lxc | 116 ----------------- examples/apparmor/libvirt-lxc.in | 116 +++++++++++++++++ examples/apparmor/libvirt-qemu | 144 --------------------- examples/apparmor/libvirt-qemu.in | 144 +++++++++++++++++++++ examples/apparmor/profile-preprocess | 21 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 48 ------- .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 48 +++++++ examples/apparmor/usr.sbin.libvirtd | 63 --------- examples/apparmor/usr.sbin.libvirtd.in | 63 +++++++++ 11 files changed, 417 insertions(+), 371 deletions(-) delete mode 100644 examples/apparmor/libvirt-lxc create mode 100644 examples/apparmor/libvirt-lxc.in delete mode 100644 examples/apparmor/libvirt-qemu create mode 100644 examples/apparmor/libvirt-qemu.in create mode 100755 examples/apparmor/profile-preprocess delete mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper create mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper.in delete mode 100644 examples/apparmor/usr.sbin.libvirtd create mode 100644 examples/apparmor/usr.sbin.libvirtd.in diff --git a/configure.ac b/configure.ac index f7b02ff..42cf073 100644 --- a/configure.ac +++ b/configure.ac @@ -1490,6 +1490,28 @@ if test "$with_apparmor" = "no"; then fi AM_CONDITIONAL([WITH_APPARMOR_PROFILES], [test "$with_apparmor_profiles" != "no"]) +AC_ARG_WITH([apparmor-profiles-version], + [AS_HELP_STRING([--with-apparmor-profiles-version], + [install apparmor profiles for apparmor version @<:@default=check@:>@])], + [], + [with_apparmor_profiles_version=check]) +if test "$with_apparmor_profiles" = "no"; then + with_apparmor_profiles_version="no" +fi +if test "$with_apparmor_profiles_version" = "check"; then + APPARMOR_VERSION=`pkg-config --modversion libapparmor|cut -d. -f1-2` +elif test "$with_apparmor_profiles_version" != "no"; then + APPARMOR_VERSION=$withval +fi +if test "$with_apparmor_profiles_version" != "no"; then + APPARMOR_MAJOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f1` + APPARMOR_MINOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f2` + APPARMOR_VERSION_NUMBER=`expr $APPARMOR_MAJOR_VERSION \* 1000 + $APPARMOR_MINOR_VERSION` + AC_DEFINE_UNQUOTED([APPARMOR_VERSION_NUMBER], + $APPARMOR_VERSION_NUMBER, + [Version number of apparmor library (for profile features)]) +fi + dnl DTrace static probes AC_ARG_WITH([dtrace], [AS_HELP_STRING([--with-dtrace], diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am index 7a20e16..4712b8d 100644 --- a/examples/apparmor/Makefile.am +++ b/examples/apparmor/Makefile.am @@ -40,4 +40,7 @@ templates_DATA = \ TEMPLATE.qemu \ TEMPLATE.lxc \ $(NULL) + +%: %.in profile-preprocess ../../config.h + ./profile-preprocess $< >$@ endif WITH_APPARMOR_PROFILES diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc deleted file mode 100644 index 4bfb503..0000000 --- a/examples/apparmor/libvirt-lxc +++ /dev/null @@ -1,116 +0,0 @@ -# Last Modified: Fri Feb 7 13:01:36 2014 - - #include <abstractions/base> - - umount, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse.*, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, - - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - - # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, - deny /proc/sys/ke[^r]*{,/**} wklx, - deny /proc/sys/ker[^n]*{,/**} wklx, - deny /proc/sys/kern[^e]*{,/**} wklx, - deny /proc/sys/kerne[^l]*{,/**} wklx, - deny /proc/sys/kernel/[^smhd]*{,/**} wklx, - deny /proc/sys/kernel/d[^o]*{,/**} wklx, - deny /proc/sys/kernel/do[^m]*{,/**} wklx, - deny /proc/sys/kernel/dom[^a]*{,/**} wklx, - deny /proc/sys/kernel/doma[^i]*{,/**} wklx, - deny /proc/sys/kernel/domai[^n]*{,/**} wklx, - deny /proc/sys/kernel/domain[^n]*{,/**} wklx, - deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, - deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, - deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/domainname?*{,/**} wklx, - deny /proc/sys/kernel/h[^o]*{,/**} wklx, - deny /proc/sys/kernel/ho[^s]*{,/**} wklx, - deny /proc/sys/kernel/hos[^t]*{,/**} wklx, - deny /proc/sys/kernel/host[^n]*{,/**} wklx, - deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, - deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, - deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/hostname?*{,/**} wklx, - deny /proc/sys/kernel/m[^s]*{,/**} wklx, - deny /proc/sys/kernel/ms[^g]*{,/**} wklx, - deny /proc/sys/kernel/msg*/** wklx, - deny /proc/sys/kernel/s[^he]*{,/**} wklx, - deny /proc/sys/kernel/se[^m]*{,/**} wklx, - deny /proc/sys/kernel/sem*/** wklx, - deny /proc/sys/kernel/sh[^m]*{,/**} wklx, - deny /proc/sys/kernel/shm*/** wklx, - deny /proc/sys/kernel?*{,/**} wklx, - deny /proc/sys/n[^e]*{,/**} wklx, - deny /proc/sys/ne[^t]*{,/**} wklx, - deny /proc/sys/net?*{,/**} wklx, - deny /sys/[^fdc]*{,/**} wklx, - deny /sys/c[^l]*{,/**} wklx, - deny /sys/cl[^a]*{,/**} wklx, - deny /sys/cla[^s]*{,/**} wklx, - deny /sys/clas[^s]*{,/**} wklx, - deny /sys/class/[^n]*{,/**} wklx, - deny /sys/class/n[^e]*{,/**} wklx, - deny /sys/class/ne[^t]*{,/**} wklx, - deny /sys/class/net?*{,/**} wklx, - deny /sys/class?*{,/**} wklx, - deny /sys/d[^e]*{,/**} wklx, - deny /sys/de[^v]*{,/**} wklx, - deny /sys/dev[^i]*{,/**} wklx, - deny /sys/devi[^c]*{,/**} wklx, - deny /sys/devic[^e]*{,/**} wklx, - deny /sys/device[^s]*{,/**} wklx, - deny /sys/devices/[^v]*{,/**} wklx, - deny /sys/devices/v[^i]*{,/**} wklx, - deny /sys/devices/vi[^r]*{,/**} wklx, - deny /sys/devices/vir[^t]*{,/**} wklx, - deny /sys/devices/virt[^u]*{,/**} wklx, - deny /sys/devices/virtu[^a]*{,/**} wklx, - deny /sys/devices/virtua[^l]*{,/**} wklx, - deny /sys/devices/virtual/[^n]*{,/**} wklx, - deny /sys/devices/virtual/n[^e]*{,/**} wklx, - deny /sys/devices/virtual/ne[^t]*{,/**} wklx, - deny /sys/devices/virtual/net?*{,/**} wklx, - deny /sys/devices/virtual?*{,/**} wklx, - deny /sys/devices?*{,/**} wklx, - deny /sys/f[^s]*{,/**} wklx, - deny /sys/fs/[^c]*{,/**} wklx, - deny /sys/fs/c[^g]*{,/**} wklx, - deny /sys/fs/cg[^r]*{,/**} wklx, - deny /sys/fs/cgr[^o]*{,/**} wklx, - deny /sys/fs/cgro[^u]*{,/**} wklx, - deny /sys/fs/cgrou[^p]*{,/**} wklx, - deny /sys/fs/cgroup?*{,/**} wklx, - deny /sys/fs?*{,/**} wklx, diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in new file mode 100644 index 0000000..4bfb503 --- /dev/null +++ b/examples/apparmor/libvirt-lxc.in @@ -0,0 +1,116 @@ +# Last Modified: Fri Feb 7 13:01:36 2014 + + #include <abstractions/base> + + umount, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu deleted file mode 100644 index c6de6dd..0000000 --- a/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,144 +0,0 @@ -# Last Modified: Wed Sep 3 21:52:03 2014 - - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - # required for reading disk images - capability dac_override, - capability dac_read_search, - capability chown, - - # needed to drop privileges - capability setgid, - capability setuid, - - network inet stream, - network inet6 stream, - - /dev/net/tun rw, - /dev/kvm rw, - /dev/ptmx rw, - /dev/kqemu rw, - @{PROC}/*/status r, - @{PROC}/sys/kernel/cap_last_cap r, - - # For hostdev access. The actual devices will be added dynamically - /sys/bus/usb/devices/ r, - /sys/devices/**/usb[0-9]*/** r, - - # WARNING: this gives the guest direct access to host hardware and specific - # portions of shared memory. This is required for sound using ALSA with kvm, - # but may constitute a security risk. If your environment does not require - # the use of sound in your VMs, feel free to comment out or prepend 'deny' to - # the rules for files in /dev. - /{dev,run}/shm r, - /{dev,run}/shmpulse-shm* r, - /{dev,run}/shmpulse-shm* rwk, - /dev/snd/* rw, - capability ipc_lock, - # spice - owner /{dev,run}/shm/spice.* rw, - # 'kill' is not required for sound and is a security risk. Do not enable - # unless you absolutely need it. - deny capability kill, - - # Uncomment the following if you need access to /dev/fb* - #/dev/fb* rw, - - /etc/pulse/client.conf r, - @{HOME}/.pulse-cookie rwk, - owner /root/.pulse-cookie rwk, - owner /root/.pulse/ rw, - owner /root/.pulse/* rw, - /usr/share/alsa/** r, - owner /tmp/pulse-*/ rw, - owner /tmp/pulse-*/* rw, - /var/lib/dbus/machine-id r, - - # access to firmware's etc - /usr/share/kvm/** r, - /usr/share/qemu/** r, - /usr/share/bochs/** r, - /usr/share/openbios/** r, - /usr/share/openhackware/** r, - /usr/share/proll/** r, - /usr/share/vgabios/** r, - /usr/share/seabios/** r, - /usr/share/ovmf/** r, - - # access PKI infrastructure - /etc/pki/libvirt-vnc/** r, - - # the various binaries - /usr/bin/kvm rmix, - /usr/bin/qemu rmix, - /usr/bin/qemu-system-arm rmix, - /usr/bin/qemu-system-cris rmix, - /usr/bin/qemu-system-i386 rmix, - /usr/bin/qemu-system-m68k rmix, - /usr/bin/qemu-system-microblaze rmix, - /usr/bin/qemu-system-microblazeel rmix, - /usr/bin/qemu-system-mips rmix, - /usr/bin/qemu-system-mips64 rmix, - /usr/bin/qemu-system-mips64el rmix, - /usr/bin/qemu-system-mipsel rmix, - /usr/bin/qemu-system-ppc rmix, - /usr/bin/qemu-system-ppc64 rmix, - /usr/bin/qemu-system-ppcemb rmix, - /usr/bin/qemu-system-sh4 rmix, - /usr/bin/qemu-system-sh4eb rmix, - /usr/bin/qemu-system-sparc rmix, - /usr/bin/qemu-system-sparc64 rmix, - /usr/bin/qemu-system-x86_64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-x86_64 rmix, - /usr/lib/qemu/block-curl.so mr, - - # for save and resume - /bin/dash rmix, - /bin/dd rmix, - /bin/cat rmix, - - # for usb access - /dev/bus/usb/ r, - /etc/udev/udev.conf r, - /sys/bus/ r, - /sys/class/ r, - - /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process - profile qemu_bridge_helper { - #include <abstractions/base> - - capability setuid, - capability setgid, - capability setpcap, - capability net_admin, - - network inet stream, - - /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/{lib,libexec}/qemu-bridge-helper rmix, - } diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in new file mode 100644 index 0000000..c6de6dd --- /dev/null +++ b/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,144 @@ +# Last Modified: Wed Sep 3 21:52:03 2014 + + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, + @{PROC}/sys/kernel/cap_last_cap r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/**/usb[0-9]*/** r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + /dev/snd/* rw, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/kvm/** r, + /usr/share/qemu/** r, + /usr/share/bochs/** r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/proll/** r, + /usr/share/vgabios/** r, + /usr/share/seabios/** r, + /usr/share/ovmf/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr, + + # for save and resume + /bin/dash rmix, + /bin/dd rmix, + /bin/cat rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,libexec}/qemu-bridge-helper rmix, + } diff --git a/examples/apparmor/profile-preprocess b/examples/apparmor/profile-preprocess new file mode 100755 index 0000000..684958a --- /dev/null +++ b/examples/apparmor/profile-preprocess @@ -0,0 +1,21 @@ +#!/bin/sh + +PROFILES_VERSION=$( + awk '$1=="#define" && $2=="APPARMOR_VERSION_NUMBER"{ + print $3 + }' ../../config.h) + +awk -vVERSION=$PROFILES_VERSION ' +$1 == "@@ifge" { + if (VERSION < $2) + skip=1 + next +} +$1 == "@@end"{ + skip=0 + next +} +!skip{ + print +} +' $1 diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper deleted file mode 100644 index bceaaff..0000000 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,48 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 -#include <tunables/global> - -/usr/lib/libvirt/virt-aa-helper { - #include <abstractions/base> - - # needed for searching directories - capability dac_override, - capability dac_read_search, - - # needed for when disk is on a network filesystem - network inet, - - deny @{PROC}/[0-9]*/mounts r, - @{PROC}/[0-9]*/net/psched r, - owner @{PROC}/[0-9]*/status r, - @{PROC}/filesystems r, - - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - - /usr/lib/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - @{HOME}/ r, - @{HOME}/** r, - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, - /{media,mnt,opt,srv}/** r, - - /**.img r, - /**.qcow{,2} r, - /**.qed r, - /**.vmdk r, - /**.[iI][sS][oO] r, - /**/disk{,.*} r, -} diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in new file mode 100644 index 0000000..bceaaff --- /dev/null +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,48 @@ +# Last Modified: Mon Apr 5 15:10:27 2010 +#include <tunables/global> + +/usr/lib/libvirt/virt-aa-helper { + #include <abstractions/base> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + + /usr/lib/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /{media,mnt,opt,srv}/** r, + + /**.img r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, +} diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd deleted file mode 100644 index 3011eff..0000000 --- a/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,63 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 -#include <tunables/global> -@{LIBVIRT}="libvirt" - -/usr/sbin/libvirtd { - #include <abstractions/base> - #include <abstractions/dbus> - - capability kill, - capability net_admin, - capability net_raw, - capability setgid, - capability sys_admin, - capability sys_module, - capability sys_ptrace, - capability sys_nice, - capability sys_chroot, - capability setuid, - capability dac_override, - capability dac_read_search, - capability fowner, - capability chown, - capability setpcap, - capability mknod, - capability fsetid, - capability audit_write, - - # Needed for vfio - capability sys_resource, - - network inet stream, - network inet dgram, - network inet6 stream, - network inet6 dgram, - network packet dgram, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /bin/* PUx, - /sbin/* PUx, - /usr/bin/* PUx, - /usr/sbin/* PUx, - /lib/udev/scsi_id PUx, - /usr/lib/xen-common/bin/xen-toolstack PUx, - - # force the use of virt-aa-helper - audit deny /sbin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in new file mode 100644 index 0000000..3011eff --- /dev/null +++ b/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,63 @@ +# Last Modified: Mon Apr 5 15:03:58 2010 +#include <tunables/global> +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + + # Needed for vfio + capability sys_resource, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network packet dgram, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, + /usr/lib/xen-common/bin/xen-toolstack PUx, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/lib/libvirt/* PUxr, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -- 1.9.1
From 8df8fd35b21de2d4de1c541fe168d07d994d8eb7 Mon Sep 17 00:00:00 2001 From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Date: Mon, 13 Oct 2014 11:43:26 +0200 Subject: [PATCH 2/2] examples/apparmor: Update profiles with Ubuntu delta Merge back the delta Ubuntu carries. Rules for features only available in newer versions of apparmor are wrapped by the new version markers. Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> --- examples/apparmor/Makefile.am | 10 +++++++ examples/apparmor/libvirt-lxc.in | 17 +++++++++++- examples/apparmor/libvirt-qemu.in | 31 +++++++++++++++++++++- examples/apparmor/local-usr.sbin.libvritd.in | 2 ++ .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 25 ++++++++++++++--- examples/apparmor/usr.sbin.libvirtd.in | 19 ++++++++++++- 6 files changed, 98 insertions(+), 6 deletions(-) create mode 100644 examples/apparmor/local-usr.sbin.libvritd.in diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am index 4712b8d..5bd6feb 100644 --- a/examples/apparmor/Makefile.am +++ b/examples/apparmor/Makefile.am @@ -20,6 +20,7 @@ EXTRA_DIST= \ libvirt-qemu \ libvirt-lxc \ usr.lib.libvirt.virt-aa-helper \ + local-usr.sbin.libvirtd \ usr.sbin.libvirtd if WITH_APPARMOR_PROFILES @@ -29,6 +30,15 @@ apparmor_DATA = \ usr.sbin.libvirtd \ $(NULL) +localdir = $(apparmordir)/local +local_DATA = \ + local-usr.sbin.libvirtd \ + $(NULL) + +install-data-hook: + mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \ + $(DESTDIR)$(localdir)/usr.sbin.libvirtd + abstractionsdir = $(apparmordir)/abstractions abstractions_DATA = \ libvirt-qemu \ diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in index 4bfb503..ea226e9 100644 --- a/examples/apparmor/libvirt-lxc.in +++ b/examples/apparmor/libvirt-lxc.in @@ -1,12 +1,20 @@ -# Last Modified: Fri Feb 7 13:01:36 2014 +# Last Modified: Thu, 18 Sep 2014 13:56:49 +0200 #include <abstractions/base> umount, +@@ifge 2009 + dbus, + signal, + ptrace, +@end # ignore DENIED message on / remount deny mount options=(ro, remount) -> /, + # support use of cgmanager proxy + mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/, + # allow tmpfs mounts everywhere mount fstype=tmpfs, @@ -33,8 +41,15 @@ mount fstype=fusectl -> /sys/fs/fuse/connections/, mount fstype=securityfs -> /sys/kernel/security/, mount fstype=debugfs -> /sys/kernel/debug/, + deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, + + mount options=(rw nosuid nodev noexec remount) -> /sys/, + mount options=(rw remount) -> /sys/kernel/security/, + mount options=(rw remount) -> /sys/fs/pstore/, + mount options=(ro remount) -> /sys/fs/pstore/, + deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in index c6de6dd..b69e64c 100644 --- a/examples/apparmor/libvirt-qemu.in +++ b/examples/apparmor/libvirt-qemu.in @@ -1,4 +1,4 @@ -# Last Modified: Wed Sep 3 21:52:03 2014 +# Last Modified: Thu, 18 Sep 2014 16:41:21 +0200 #include <abstractions/base> #include <abstractions/consoles> @@ -13,15 +13,22 @@ capability setgid, capability setuid, + # this is needed with libcap-ng support, however it breaks a lot of things + # atm, so just silence the denial until libcap-ng works right. LP: #522845 + deny capability setpcap, + network inet stream, network inet6 stream, /dev/net/tun rw, + /dev/tap* rw, /dev/kvm rw, /dev/ptmx rw, /dev/kqemu rw, @{PROC}/*/status r, @{PROC}/sys/kernel/cap_last_cap r, + owner @{PROC}/*/auxv r, + @{PROC}/sys/vm/overcommit_memory r, # For hostdev access. The actual devices will be added dynamically /sys/bus/usb/devices/ r, @@ -38,6 +45,9 @@ /dev/snd/* rw, capability ipc_lock, # spice + /usr/bin/qemu-system-i386-spice rmix, + /usr/bin/qemu-system-x86_64-spice rmix, + /{dev,run}/shm/ r, owner /{dev,run}/shm/spice.* rw, # 'kill' is not required for sound and is a security risk. Do not enable # unless you absolutely need it. @@ -73,6 +83,7 @@ # the various binaries /usr/bin/kvm rmix, /usr/bin/qemu rmix, + /usr/bin/qemu-system-aarch64 rmix, /usr/bin/qemu-system-arm rmix, /usr/bin/qemu-system-cris rmix, /usr/bin/qemu-system-i386 rmix, @@ -91,6 +102,7 @@ /usr/bin/qemu-system-sparc rmix, /usr/bin/qemu-system-sparc64 rmix, /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-x86_64-spice rmix, /usr/bin/qemu-alpha rmix, /usr/bin/qemu-arm rmix, /usr/bin/qemu-armeb rmix, @@ -117,6 +129,16 @@ /bin/dash rmix, /bin/dd rmix, /bin/cat rmix, + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt/ r, + /etc/pki/libvirt/** r, + + # for rbd + /etc/ceph/ceph.conf r, + + # for access to hugepages + owner "/run/hugepages/kvm/libvirt/qemu/**" rw, # for usb access /dev/bus/usb/ r, @@ -124,6 +146,13 @@ /sys/bus/ r, /sys/class/ r, + signal (receive) peer=/usr/sbin/libvirtd, + ptrace (tracedby) peer=/usr/sbin/libvirtd, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, # child profile for bridge helper process profile qemu_bridge_helper { diff --git a/examples/apparmor/local-usr.sbin.libvritd.in b/examples/apparmor/local-usr.sbin.libvritd.in new file mode 100644 index 0000000..6e19f20 --- /dev/null +++ b/examples/apparmor/local-usr.sbin.libvritd.in @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.sbin.libvirtd. +# For more details, please see /etc/apparmor.d/local/README. diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in index bceaaff..4df86b0 100644 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -1,8 +1,9 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 +# Last Modified: Thu, 18 Sep 2014 14:05:36 +0200 #include <tunables/global> /usr/lib/libvirt/virt-aa-helper { #include <abstractions/base> + #include <abstractions/user-tmp> # needed for searching directories capability dac_override, @@ -19,6 +20,12 @@ # for hostdev /sys/devices/ r, /sys/devices/** r, + /sys/bus/usb/devices/ r, + /sys/bus/usb/devices/** r, + deny /dev/sd* r, + deny /dev/dm-* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, /usr/lib/libvirt/virt-aa-helper mr, /sbin/apparmor_parser Ux, @@ -26,8 +33,11 @@ /etc/apparmor.d/libvirt/* r, /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools + # For backingstore, virt-aa-helper needs to peek inside the disk image, so + # allow access to non-hidden files in @{HOME} as well as storage pools, and + # removable media and filesystems, and certain file extentions. A + # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal + # (but obviously the backingstore won't be added). audit deny @{HOME}/.* mrwkl, audit deny @{HOME}/.*/ rw, audit deny @{HOME}/.*/** mrwkl, @@ -35,8 +45,17 @@ audit deny @{HOME}/bin/** mrwkl, @{HOME}/ r, @{HOME}/** r, + @{HOME}/.Private/** mrwlk, + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk, + /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, + /var/lib/nova/images/** r, + /var/lib/nova/instances/_base/** r, + /var/lib/nova/instances/snapshots/** r, + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + /var/lib/uvtool/libvirt/images/** r, /{media,mnt,opt,srv}/** r, /**.img r, diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in index 3011eff..a489760 100644 --- a/examples/apparmor/usr.sbin.libvirtd.in +++ b/examples/apparmor/usr.sbin.libvirtd.in @@ -1,10 +1,12 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 +# Last Modified: Tue, 23 Sep 2014 09:28:07 +0200 #include <tunables/global> @{LIBVIRT}="libvirt" /usr/sbin/libvirtd { #include <abstractions/base> #include <abstractions/dbus> + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.libvirtd> capability kill, capability net_admin, @@ -23,6 +25,7 @@ capability setpcap, capability mknod, capability fsetid, + capability ipc_lock, capability audit_write, # Needed for vfio @@ -33,6 +36,14 @@ network inet6 stream, network inet6 dgram, network packet dgram, + network netlink, + +@@ifge 2009 + dbus bus=system, + signal, + ptrace, + unix, +@@end # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile. @@ -45,6 +56,12 @@ /usr/sbin/* PUx, /lib/udev/scsi_id PUx, /usr/lib/xen-common/bin/xen-toolstack PUx, + /usr/lib/xen-*/bin/pygrub PUx, + /usr/lib/xen-*/bin/libxl-save-helper PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # write and run an ebtables script. + /var/lib/libvirt/virtd* ixr, # force the use of virt-aa-helper audit deny /sbin/apparmor_parser rwxl, -- 1.9.1
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list