Re: [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20.10.2014 12:48, Stefan Bader wrote:
> On 19.10.2014 17:07, intrigeri wrote:
>> Hi Stefan,
>>
>> Stefan Bader wrote (19 Oct 2014 11:07:40 GMT) :
>>> Yeah, I actually did but it felt a bit hackish but then I am told anything looks
>>> a bit hackish when it involves autoconf. These are again against upstream
>>> libvirt mostly because the last touch timestamps always clash otherwise.
>>
>> Cool, I've tested this. I've imported these two patches in Debian's
>> 1.2.9-3 quilt series, made the build system use dh-autoreconf (the
>> build system in the tarball wants aclocal 1.13, while Debian sid has
>> 1.14), and added a build-dep on libapparmor-dev to get the needed
>> pkg-config file.
>>
>> Attempting to build the resulting source package in a clean sid chroot
>> fails here:
>>
>>   Making all in examples/apparmor
>>   make[3]: Entering directory '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
>>   make[3]: Circular ../../config.h <- ../../config.h dependency dropped.
>>   ./profile-preprocess ../../../../examples/apparmor/libvirt-qemu.in >libvirt-qemu
>>   ./profile-preprocess ../../../../examples/apparmor/libvirt-lxc.in >libvirt-lxc
>>   ./profile-preprocess ../../../../examples/apparmor/usr.lib.libvirt.virt-aa-helper.in >usr.lib.libvirt.virt-aa-helper
>>   ./profile-preprocess ../../../../examples/apparmor/usr.sbin.libvirtd.in >usr.sbin.libvirtd
>>   make[3]: *** No rule to make target 'local-usr.sbin.libvirtd', needed by 'all-am'.  Stop.
>>   make[3]: *** Waiting for unfinished jobs....
>>   /bin/bash: ./profile-preprocess: No such file or directory
>>   /bin/bash: ./profile-preprocess: No such file or directory
>>   Makefile:2068: recipe for target 'libvirt-qemu' failed
>>   make[3]: *** [libvirt-qemu] Error 127
>>   Makefile:2068: recipe for target 'libvirt-lxc' failed
>>   make[3]: *** [libvirt-lxc] Error 127
>>   /bin/bash: ./profile-preprocess: No such file or directory
>>   /bin/bash: ./profile-preprocess: No such file or directory
>>   Makefile:2068: recipe for target 'usr.lib.libvirt.virt-aa-helper' failed
>>   make[3]: *** [usr.lib.libvirt.virt-aa-helper] Error 127
>>   Makefile:2068: recipe for target 'usr.sbin.libvirtd' failed
>>   make[3]: *** [usr.sbin.libvirtd] Error 127
>>   make[3]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor'
>>   Makefile:1979: recipe for target 'all-recursive' failed
>>   make[2]: *** [all-recursive] Error 1
>>   make[2]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
>>   Makefile:1877: recipe for target 'all' failed
>>   make[1]: *** [all] Error 2
>>   make[1]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build'
>>   dh_auto_build: make -j5 returned exit code 2
>>   debian/rules:126: recipe for target 'build' failed
>>   make: *** [build] Error 2
>>
>> Any hint?
> 
> Hm, partially this sounds like the preprocess script is not where it should be
> and the other part looks like not finding any local-usr-sbin. Could likely be
> that I need to do something better to make things work in place (as the upstream
> libvirt instructions suggest) as well as with separate object tree (as it is in
> Debian). I also saw something about circular dependency on config.h which
> probably slipped my attention. For most of the problems I guess adding something
> like $(srcdir) (need to look what this would be actually called) to the
> pre-process scripts path as well as to the .in files..

Turns out that this first attempt was not too good at all. First it does not
help to mis-name the new local .in file. Then, using the wildcard form actually
causes many more files to be touched than intended (the circular reference
hinted that). Lastly I found it might be good to also do something about cleanup.
Hope this version works better in general.

-Stefan

From 3715e3a3aa29543e38afc6ec97296866b2977e11 Mon Sep 17 00:00:00 2001
From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
Date: Mon, 13 Oct 2014 11:31:59 +0200
Subject: [PATCH 1/2] examples/apparmor: Add ability to add versioned features

Adds APPARMOR_VERSION_NUMBER to config.h which by default is set to the
apparmor library version (<major>*1000+<minor). It can be overriden by
the distro by supplyig --with-apparmor-profiles-version=<version>.

Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
---
 configure.ac                                       |  22 ++++
 examples/apparmor/Makefile.am                      |  18 +++
 examples/apparmor/libvirt-lxc                      | 116 -----------------
 examples/apparmor/libvirt-lxc.in                   | 116 +++++++++++++++++
 examples/apparmor/libvirt-qemu                     | 144 ---------------------
 examples/apparmor/libvirt-qemu.in                  | 144 +++++++++++++++++++++
 examples/apparmor/profile-preprocess               |  21 +++
 examples/apparmor/usr.lib.libvirt.virt-aa-helper   |  48 -------
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in     |  48 +++++++
 examples/apparmor/usr.sbin.libvirtd                |  63 ---------
 examples/apparmor/usr.sbin.libvirtd.in             |  63 +++++++++
 11 files changed, 432 insertions(+), 371 deletions(-)
 delete mode 100644 examples/apparmor/libvirt-lxc
 create mode 100644 examples/apparmor/libvirt-lxc.in
 delete mode 100644 examples/apparmor/libvirt-qemu
 create mode 100644 examples/apparmor/libvirt-qemu.in
 create mode 100755 examples/apparmor/profile-preprocess
 delete mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper
 create mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
 delete mode 100644 examples/apparmor/usr.sbin.libvirtd
 create mode 100644 examples/apparmor/usr.sbin.libvirtd.in

diff --git a/configure.ac b/configure.ac
index f7b02ff..42cf073 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1490,6 +1490,28 @@ if test "$with_apparmor" = "no"; then
 fi
 AM_CONDITIONAL([WITH_APPARMOR_PROFILES], [test "$with_apparmor_profiles" != "no"])
 
+AC_ARG_WITH([apparmor-profiles-version],
+  [AS_HELP_STRING([--with-apparmor-profiles-version],
+    [install apparmor profiles for apparmor version @<:@default=check@:>@])],
+  [],
+  [with_apparmor_profiles_version=check])
+if test "$with_apparmor_profiles" = "no"; then
+  with_apparmor_profiles_version="no"
+fi
+if test "$with_apparmor_profiles_version" = "check"; then
+  APPARMOR_VERSION=`pkg-config --modversion libapparmor|cut -d. -f1-2`
+elif test "$with_apparmor_profiles_version" != "no"; then
+  APPARMOR_VERSION=$withval
+fi
+if test "$with_apparmor_profiles_version" != "no"; then
+  APPARMOR_MAJOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f1`
+  APPARMOR_MINOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f2`
+  APPARMOR_VERSION_NUMBER=`expr $APPARMOR_MAJOR_VERSION \* 1000 + $APPARMOR_MINOR_VERSION`
+  AC_DEFINE_UNQUOTED([APPARMOR_VERSION_NUMBER],
+    $APPARMOR_VERSION_NUMBER,
+    [Version number of apparmor library (for profile features)])
+fi
+
 dnl DTrace static probes
 AC_ARG_WITH([dtrace],
   [AS_HELP_STRING([--with-dtrace],
diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 7a20e16..8d301da 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -14,6 +14,8 @@
 ## License along with this library.  If not, see
 ## <http://www.gnu.org/licenses/>.
 
+CLEANFILES=
+
 EXTRA_DIST=				\
 	TEMPLATE.qemu			\
 	TEMPLATE.lxc			\
@@ -40,4 +42,20 @@ templates_DATA = \
 	TEMPLATE.qemu \
 	TEMPLATE.lxc \
 	$(NULL)
+
+libvirt-lxc:	$(srcdir)/libvirt-lxc.in $(srcdir)/profile-preprocess \
+		../../config.h
+	$(srcdir)/profile-preprocess $< >$@
+libvirt-qemu:	$(srcdir)/libvirt-qemu.in $(srcdir)/profile-preprocess \
+		../../config.h
+	$(srcdir)/profile-preprocess $< >$@
+usr.lib.libvirt.virt-aa-helper:	$(srcdir)/usr.lib.libvirt.virt-aa-helper.in \
+				$(srcdir)/profile-preprocess ../../config.h
+	$(srcdir)/profile-preprocess $< >$@
+usr.sbin.libvirtd:	$(srcdir)/usr.sbin.libvirtd.in \
+			$(srcdir)/profile-preprocess ../../config.h
+	$(srcdir)/profile-preprocess $< >$@
+
+CLEANFILES += libvirt-lxc libvirt-qemu usr.lib.libvirt.virt-aa-helper
+CLEANFILES += usr.sbin.libvirtd
 endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
deleted file mode 100644
index 4bfb503..0000000
--- a/examples/apparmor/libvirt-lxc
+++ /dev/null
@@ -1,116 +0,0 @@
-# Last Modified: Fri Feb  7 13:01:36 2014
-
-  #include <abstractions/base>
-
-  umount,
-
-  # ignore DENIED message on / remount
-  deny mount options=(ro, remount) -> /,
-
-  # allow tmpfs mounts everywhere
-  mount fstype=tmpfs,
-
-  # allow mqueue mounts everywhere
-  mount fstype=mqueue,
-
-  # allow fuse mounts everywhere
-  mount fstype=fuse.*,
-
-  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
-  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
-  deny @{PROC}/sys/fs/** wklx,
-
-  # allow efivars to be mounted, writing to it will be blocked though
-  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
-
-  # block some other dangerous paths
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/mem rwklx,
-  deny @{PROC}/kmem rwklx,
-
-  # deny writes in /sys except for /sys/fs/cgroup, also allow
-  # fusectl, securityfs and debugfs to be mounted there (read-only)
-  mount fstype=fusectl -> /sys/fs/fuse/connections/,
-  mount fstype=securityfs -> /sys/kernel/security/,
-  mount fstype=debugfs -> /sys/kernel/debug/,
-  mount fstype=proc -> /proc/,
-  mount fstype=sysfs -> /sys/,
-  deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
-
-  # generated by: lxc-generate-aa-rules.py container-rules.base
-  deny /proc/sys/[^kn]*{,/**} wklx,
-  deny /proc/sys/k[^e]*{,/**} wklx,
-  deny /proc/sys/ke[^r]*{,/**} wklx,
-  deny /proc/sys/ker[^n]*{,/**} wklx,
-  deny /proc/sys/kern[^e]*{,/**} wklx,
-  deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
-  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
-  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
-  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
-  deny /proc/sys/kernel/domainname?*{,/**} wklx,
-  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
-  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
-  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
-  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
-  deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
-  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
-  deny /proc/sys/kernel/msg*/** wklx,
-  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
-  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/sem*/** wklx,
-  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/shm*/** wklx,
-  deny /proc/sys/kernel?*{,/**} wklx,
-  deny /proc/sys/n[^e]*{,/**} wklx,
-  deny /proc/sys/ne[^t]*{,/**} wklx,
-  deny /proc/sys/net?*{,/**} wklx,
-  deny /sys/[^fdc]*{,/**} wklx,
-  deny /sys/c[^l]*{,/**} wklx,
-  deny /sys/cl[^a]*{,/**} wklx,
-  deny /sys/cla[^s]*{,/**} wklx,
-  deny /sys/clas[^s]*{,/**} wklx,
-  deny /sys/class/[^n]*{,/**} wklx,
-  deny /sys/class/n[^e]*{,/**} wklx,
-  deny /sys/class/ne[^t]*{,/**} wklx,
-  deny /sys/class/net?*{,/**} wklx,
-  deny /sys/class?*{,/**} wklx,
-  deny /sys/d[^e]*{,/**} wklx,
-  deny /sys/de[^v]*{,/**} wklx,
-  deny /sys/dev[^i]*{,/**} wklx,
-  deny /sys/devi[^c]*{,/**} wklx,
-  deny /sys/devic[^e]*{,/**} wklx,
-  deny /sys/device[^s]*{,/**} wklx,
-  deny /sys/devices/[^v]*{,/**} wklx,
-  deny /sys/devices/v[^i]*{,/**} wklx,
-  deny /sys/devices/vi[^r]*{,/**} wklx,
-  deny /sys/devices/vir[^t]*{,/**} wklx,
-  deny /sys/devices/virt[^u]*{,/**} wklx,
-  deny /sys/devices/virtu[^a]*{,/**} wklx,
-  deny /sys/devices/virtua[^l]*{,/**} wklx,
-  deny /sys/devices/virtual/[^n]*{,/**} wklx,
-  deny /sys/devices/virtual/n[^e]*{,/**} wklx,
-  deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
-  deny /sys/devices/virtual/net?*{,/**} wklx,
-  deny /sys/devices/virtual?*{,/**} wklx,
-  deny /sys/devices?*{,/**} wklx,
-  deny /sys/f[^s]*{,/**} wklx,
-  deny /sys/fs/[^c]*{,/**} wklx,
-  deny /sys/fs/c[^g]*{,/**} wklx,
-  deny /sys/fs/cg[^r]*{,/**} wklx,
-  deny /sys/fs/cgr[^o]*{,/**} wklx,
-  deny /sys/fs/cgro[^u]*{,/**} wklx,
-  deny /sys/fs/cgrou[^p]*{,/**} wklx,
-  deny /sys/fs/cgroup?*{,/**} wklx,
-  deny /sys/fs?*{,/**} wklx,
diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in
new file mode 100644
index 0000000..4bfb503
--- /dev/null
+++ b/examples/apparmor/libvirt-lxc.in
@@ -0,0 +1,116 @@
+# Last Modified: Fri Feb  7 13:01:36 2014
+
+  #include <abstractions/base>
+
+  umount,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+  # generated by: lxc-generate-aa-rules.py container-rules.base
+  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/k[^e]*{,/**} wklx,
+  deny /proc/sys/ke[^r]*{,/**} wklx,
+  deny /proc/sys/ker[^n]*{,/**} wklx,
+  deny /proc/sys/kern[^e]*{,/**} wklx,
+  deny /proc/sys/kerne[^l]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/domainname?*{,/**} wklx,
+  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/hostname?*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
+  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/shm*/** wklx,
+  deny /proc/sys/kernel?*{,/**} wklx,
+  deny /proc/sys/n[^e]*{,/**} wklx,
+  deny /proc/sys/ne[^t]*{,/**} wklx,
+  deny /proc/sys/net?*{,/**} wklx,
+  deny /sys/[^fdc]*{,/**} wklx,
+  deny /sys/c[^l]*{,/**} wklx,
+  deny /sys/cl[^a]*{,/**} wklx,
+  deny /sys/cla[^s]*{,/**} wklx,
+  deny /sys/clas[^s]*{,/**} wklx,
+  deny /sys/class/[^n]*{,/**} wklx,
+  deny /sys/class/n[^e]*{,/**} wklx,
+  deny /sys/class/ne[^t]*{,/**} wklx,
+  deny /sys/class/net?*{,/**} wklx,
+  deny /sys/class?*{,/**} wklx,
+  deny /sys/d[^e]*{,/**} wklx,
+  deny /sys/de[^v]*{,/**} wklx,
+  deny /sys/dev[^i]*{,/**} wklx,
+  deny /sys/devi[^c]*{,/**} wklx,
+  deny /sys/devic[^e]*{,/**} wklx,
+  deny /sys/device[^s]*{,/**} wklx,
+  deny /sys/devices/[^v]*{,/**} wklx,
+  deny /sys/devices/v[^i]*{,/**} wklx,
+  deny /sys/devices/vi[^r]*{,/**} wklx,
+  deny /sys/devices/vir[^t]*{,/**} wklx,
+  deny /sys/devices/virt[^u]*{,/**} wklx,
+  deny /sys/devices/virtu[^a]*{,/**} wklx,
+  deny /sys/devices/virtua[^l]*{,/**} wklx,
+  deny /sys/devices/virtual/[^n]*{,/**} wklx,
+  deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+  deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+  deny /sys/devices/virtual/net?*{,/**} wklx,
+  deny /sys/devices/virtual?*{,/**} wklx,
+  deny /sys/devices?*{,/**} wklx,
+  deny /sys/f[^s]*{,/**} wklx,
+  deny /sys/fs/[^c]*{,/**} wklx,
+  deny /sys/fs/c[^g]*{,/**} wklx,
+  deny /sys/fs/cg[^r]*{,/**} wklx,
+  deny /sys/fs/cgr[^o]*{,/**} wklx,
+  deny /sys/fs/cgro[^u]*{,/**} wklx,
+  deny /sys/fs/cgrou[^p]*{,/**} wklx,
+  deny /sys/fs/cgroup?*{,/**} wklx,
+  deny /sys/fs?*{,/**} wklx,
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
deleted file mode 100644
index c6de6dd..0000000
--- a/examples/apparmor/libvirt-qemu
+++ /dev/null
@@ -1,144 +0,0 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
-
-  #include <abstractions/base>
-  #include <abstractions/consoles>
-  #include <abstractions/nameservice>
-
-  # required for reading disk images
-  capability dac_override,
-  capability dac_read_search,
-  capability chown,
-
-  # needed to drop privileges
-  capability setgid,
-  capability setuid,
-
-  network inet stream,
-  network inet6 stream,
-
-  /dev/net/tun rw,
-  /dev/kvm rw,
-  /dev/ptmx rw,
-  /dev/kqemu rw,
-  @{PROC}/*/status r,
-  @{PROC}/sys/kernel/cap_last_cap r,
-
-  # For hostdev access. The actual devices will be added dynamically
-  /sys/bus/usb/devices/ r,
-  /sys/devices/**/usb[0-9]*/** r,
-
-  # WARNING: this gives the guest direct access to host hardware and specific
-  # portions of shared memory. This is required for sound using ALSA with kvm,
-  # but may constitute a security risk. If your environment does not require
-  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
-  # the rules for files in /dev.
-  /{dev,run}/shm r,
-  /{dev,run}/shmpulse-shm* r,
-  /{dev,run}/shmpulse-shm* rwk,
-  /dev/snd/* rw,
-  capability ipc_lock,
-  # spice
-  owner /{dev,run}/shm/spice.* rw,
-  # 'kill' is not required for sound and is a security risk. Do not enable
-  # unless you absolutely need it.
-  deny capability kill,
-
-  # Uncomment the following if you need access to /dev/fb*
-  #/dev/fb* rw,
-
-  /etc/pulse/client.conf r,
-  @{HOME}/.pulse-cookie rwk,
-  owner /root/.pulse-cookie rwk,
-  owner /root/.pulse/ rw,
-  owner /root/.pulse/* rw,
-  /usr/share/alsa/** r,
-  owner /tmp/pulse-*/ rw,
-  owner /tmp/pulse-*/* rw,
-  /var/lib/dbus/machine-id r,
-
-  # access to firmware's etc
-  /usr/share/kvm/** r,
-  /usr/share/qemu/** r,
-  /usr/share/bochs/** r,
-  /usr/share/openbios/** r,
-  /usr/share/openhackware/** r,
-  /usr/share/proll/** r,
-  /usr/share/vgabios/** r,
-  /usr/share/seabios/** r,
-  /usr/share/ovmf/** r,
-
-  # access PKI infrastructure
-  /etc/pki/libvirt-vnc/** r,
-
-  # the various binaries
-  /usr/bin/kvm rmix,
-  /usr/bin/qemu rmix,
-  /usr/bin/qemu-system-arm rmix,
-  /usr/bin/qemu-system-cris rmix,
-  /usr/bin/qemu-system-i386 rmix,
-  /usr/bin/qemu-system-m68k rmix,
-  /usr/bin/qemu-system-microblaze rmix,
-  /usr/bin/qemu-system-microblazeel rmix,
-  /usr/bin/qemu-system-mips rmix,
-  /usr/bin/qemu-system-mips64 rmix,
-  /usr/bin/qemu-system-mips64el rmix,
-  /usr/bin/qemu-system-mipsel rmix,
-  /usr/bin/qemu-system-ppc rmix,
-  /usr/bin/qemu-system-ppc64 rmix,
-  /usr/bin/qemu-system-ppcemb rmix,
-  /usr/bin/qemu-system-sh4 rmix,
-  /usr/bin/qemu-system-sh4eb rmix,
-  /usr/bin/qemu-system-sparc rmix,
-  /usr/bin/qemu-system-sparc64 rmix,
-  /usr/bin/qemu-system-x86_64 rmix,
-  /usr/bin/qemu-alpha rmix,
-  /usr/bin/qemu-arm rmix,
-  /usr/bin/qemu-armeb rmix,
-  /usr/bin/qemu-cris rmix,
-  /usr/bin/qemu-i386 rmix,
-  /usr/bin/qemu-m68k rmix,
-  /usr/bin/qemu-microblaze rmix,
-  /usr/bin/qemu-microblazeel rmix,
-  /usr/bin/qemu-mips rmix,
-  /usr/bin/qemu-mipsel rmix,
-  /usr/bin/qemu-ppc rmix,
-  /usr/bin/qemu-ppc64 rmix,
-  /usr/bin/qemu-ppc64abi32 rmix,
-  /usr/bin/qemu-sh4 rmix,
-  /usr/bin/qemu-sh4eb rmix,
-  /usr/bin/qemu-sparc rmix,
-  /usr/bin/qemu-sparc64 rmix,
-  /usr/bin/qemu-sparc32plus rmix,
-  /usr/bin/qemu-sparc64 rmix,
-  /usr/bin/qemu-x86_64 rmix,
-  /usr/lib/qemu/block-curl.so mr,
-
-  # for save and resume
-  /bin/dash rmix,
-  /bin/dd rmix,
-  /bin/cat rmix,
-
-  # for usb access
-  /dev/bus/usb/ r,
-  /etc/udev/udev.conf r,
-  /sys/bus/ r,
-  /sys/class/ r,
-
-  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
-  # child profile for bridge helper process
-  profile qemu_bridge_helper {
-   #include <abstractions/base>
-
-   capability setuid,
-   capability setgid,
-   capability setpcap,
-   capability net_admin,
-
-   network inet stream,
-
-   /dev/net/tun rw,
-   /etc/qemu/** r,
-   owner @{PROC}/*/status r,
-
-   /usr/{lib,libexec}/qemu-bridge-helper rmix,
-  }
diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in
new file mode 100644
index 0000000..c6de6dd
--- /dev/null
+++ b/examples/apparmor/libvirt-qemu.in
@@ -0,0 +1,144 @@
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  # required for reading disk images
+  capability dac_override,
+  capability dac_read_search,
+  capability chown,
+
+  # needed to drop privileges
+  capability setgid,
+  capability setuid,
+
+  network inet stream,
+  network inet6 stream,
+
+  /dev/net/tun rw,
+  /dev/kvm rw,
+  /dev/ptmx rw,
+  /dev/kqemu rw,
+  @{PROC}/*/status r,
+  @{PROC}/sys/kernel/cap_last_cap r,
+
+  # For hostdev access. The actual devices will be added dynamically
+  /sys/bus/usb/devices/ r,
+  /sys/devices/**/usb[0-9]*/** r,
+
+  # WARNING: this gives the guest direct access to host hardware and specific
+  # portions of shared memory. This is required for sound using ALSA with kvm,
+  # but may constitute a security risk. If your environment does not require
+  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+  # the rules for files in /dev.
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
+  /dev/snd/* rw,
+  capability ipc_lock,
+  # spice
+  owner /{dev,run}/shm/spice.* rw,
+  # 'kill' is not required for sound and is a security risk. Do not enable
+  # unless you absolutely need it.
+  deny capability kill,
+
+  # Uncomment the following if you need access to /dev/fb*
+  #/dev/fb* rw,
+
+  /etc/pulse/client.conf r,
+  @{HOME}/.pulse-cookie rwk,
+  owner /root/.pulse-cookie rwk,
+  owner /root/.pulse/ rw,
+  owner /root/.pulse/* rw,
+  /usr/share/alsa/** r,
+  owner /tmp/pulse-*/ rw,
+  owner /tmp/pulse-*/* rw,
+  /var/lib/dbus/machine-id r,
+
+  # access to firmware's etc
+  /usr/share/kvm/** r,
+  /usr/share/qemu/** r,
+  /usr/share/bochs/** r,
+  /usr/share/openbios/** r,
+  /usr/share/openhackware/** r,
+  /usr/share/proll/** r,
+  /usr/share/vgabios/** r,
+  /usr/share/seabios/** r,
+  /usr/share/ovmf/** r,
+
+  # access PKI infrastructure
+  /etc/pki/libvirt-vnc/** r,
+
+  # the various binaries
+  /usr/bin/kvm rmix,
+  /usr/bin/qemu rmix,
+  /usr/bin/qemu-system-arm rmix,
+  /usr/bin/qemu-system-cris rmix,
+  /usr/bin/qemu-system-i386 rmix,
+  /usr/bin/qemu-system-m68k rmix,
+  /usr/bin/qemu-system-microblaze rmix,
+  /usr/bin/qemu-system-microblazeel rmix,
+  /usr/bin/qemu-system-mips rmix,
+  /usr/bin/qemu-system-mips64 rmix,
+  /usr/bin/qemu-system-mips64el rmix,
+  /usr/bin/qemu-system-mipsel rmix,
+  /usr/bin/qemu-system-ppc rmix,
+  /usr/bin/qemu-system-ppc64 rmix,
+  /usr/bin/qemu-system-ppcemb rmix,
+  /usr/bin/qemu-system-sh4 rmix,
+  /usr/bin/qemu-system-sh4eb rmix,
+  /usr/bin/qemu-system-sparc rmix,
+  /usr/bin/qemu-system-sparc64 rmix,
+  /usr/bin/qemu-system-x86_64 rmix,
+  /usr/bin/qemu-alpha rmix,
+  /usr/bin/qemu-arm rmix,
+  /usr/bin/qemu-armeb rmix,
+  /usr/bin/qemu-cris rmix,
+  /usr/bin/qemu-i386 rmix,
+  /usr/bin/qemu-m68k rmix,
+  /usr/bin/qemu-microblaze rmix,
+  /usr/bin/qemu-microblazeel rmix,
+  /usr/bin/qemu-mips rmix,
+  /usr/bin/qemu-mipsel rmix,
+  /usr/bin/qemu-ppc rmix,
+  /usr/bin/qemu-ppc64 rmix,
+  /usr/bin/qemu-ppc64abi32 rmix,
+  /usr/bin/qemu-sh4 rmix,
+  /usr/bin/qemu-sh4eb rmix,
+  /usr/bin/qemu-sparc rmix,
+  /usr/bin/qemu-sparc64 rmix,
+  /usr/bin/qemu-sparc32plus rmix,
+  /usr/bin/qemu-sparc64 rmix,
+  /usr/bin/qemu-x86_64 rmix,
+  /usr/lib/qemu/block-curl.so mr,
+
+  # for save and resume
+  /bin/dash rmix,
+  /bin/dd rmix,
+  /bin/cat rmix,
+
+  # for usb access
+  /dev/bus/usb/ r,
+  /etc/udev/udev.conf r,
+  /sys/bus/ r,
+  /sys/class/ r,
+
+  /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  # child profile for bridge helper process
+  profile qemu_bridge_helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/{lib,libexec}/qemu-bridge-helper rmix,
+  }
diff --git a/examples/apparmor/profile-preprocess b/examples/apparmor/profile-preprocess
new file mode 100755
index 0000000..684958a
--- /dev/null
+++ b/examples/apparmor/profile-preprocess
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PROFILES_VERSION=$(
+	awk '$1=="#define" && $2=="APPARMOR_VERSION_NUMBER"{
+		print $3
+	}' ../../config.h)
+
+awk -vVERSION=$PROFILES_VERSION '
+$1 == "@@ifge" {
+	if (VERSION < $2)
+		skip=1
+	next
+}
+$1 == "@@end"{
+	skip=0
+	next
+}
+!skip{
+	print
+}
+' $1
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
deleted file mode 100644
index bceaaff..0000000
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+++ /dev/null
@@ -1,48 +0,0 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
-#include <tunables/global>
-
-/usr/lib/libvirt/virt-aa-helper {
-  #include <abstractions/base>
-
-  # needed for searching directories
-  capability dac_override,
-  capability dac_read_search,
-
-  # needed for when disk is on a network filesystem
-  network inet,
-
-  deny @{PROC}/[0-9]*/mounts r,
-  @{PROC}/[0-9]*/net/psched r,
-  owner @{PROC}/[0-9]*/status r,
-  @{PROC}/filesystems r,
-
-  # for hostdev
-  /sys/devices/ r,
-  /sys/devices/** r,
-
-  /usr/lib/libvirt/virt-aa-helper mr,
-  /sbin/apparmor_parser Ux,
-
-  /etc/apparmor.d/libvirt/* r,
-  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
-
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
-  audit deny @{HOME}/.* mrwkl,
-  audit deny @{HOME}/.*/ rw,
-  audit deny @{HOME}/.*/** mrwkl,
-  audit deny @{HOME}/bin/ rw,
-  audit deny @{HOME}/bin/** mrwkl,
-  @{HOME}/ r,
-  @{HOME}/** r,
-  /var/lib/libvirt/images/ r,
-  /var/lib/libvirt/images/** r,
-  /{media,mnt,opt,srv}/** r,
-
-  /**.img r,
-  /**.qcow{,2} r,
-  /**.qed r,
-  /**.vmdk r,
-  /**.[iI][sS][oO] r,
-  /**/disk{,.*} r,
-}
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
new file mode 100644
index 0000000..bceaaff
--- /dev/null
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -0,0 +1,48 @@
+# Last Modified: Mon Apr  5 15:10:27 2010
+#include <tunables/global>
+
+/usr/lib/libvirt/virt-aa-helper {
+  #include <abstractions/base>
+
+  # needed for searching directories
+  capability dac_override,
+  capability dac_read_search,
+
+  # needed for when disk is on a network filesystem
+  network inet,
+
+  deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/net/psched r,
+  owner @{PROC}/[0-9]*/status r,
+  @{PROC}/filesystems r,
+
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+
+  /usr/lib/libvirt/virt-aa-helper mr,
+  /sbin/apparmor_parser Ux,
+
+  /etc/apparmor.d/libvirt/* r,
+  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  /{media,mnt,opt,srv}/** r,
+
+  /**.img r,
+  /**.qcow{,2} r,
+  /**.qed r,
+  /**.vmdk r,
+  /**.[iI][sS][oO] r,
+  /**/disk{,.*} r,
+}
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
deleted file mode 100644
index 3011eff..0000000
--- a/examples/apparmor/usr.sbin.libvirtd
+++ /dev/null
@@ -1,63 +0,0 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
-#include <tunables/global>
-@{LIBVIRT}="libvirt"
-
-/usr/sbin/libvirtd {
-  #include <abstractions/base>
-  #include <abstractions/dbus>
-
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setgid,
-  capability sys_admin,
-  capability sys_module,
-  capability sys_ptrace,
-  capability sys_nice,
-  capability sys_chroot,
-  capability setuid,
-  capability dac_override,
-  capability dac_read_search,
-  capability fowner,
-  capability chown,
-  capability setpcap,
-  capability mknod,
-  capability fsetid,
-  capability audit_write,
-
-  # Needed for vfio
-  capability sys_resource,
-
-  network inet stream,
-  network inet dgram,
-  network inet6 stream,
-  network inet6 dgram,
-  network packet dgram,
-
-  # Very lenient profile for libvirtd since we want to first focus on confining
-  # the guests. Guests will have a very restricted profile.
-  / r,
-  /** rwmkl,
-
-  /bin/* PUx,
-  /sbin/* PUx,
-  /usr/bin/* PUx,
-  /usr/sbin/* PUx,
-  /lib/udev/scsi_id PUx,
-  /usr/lib/xen-common/bin/xen-toolstack PUx,
-
-  # force the use of virt-aa-helper
-  audit deny /sbin/apparmor_parser rwxl,
-  audit deny /etc/apparmor.d/libvirt/** wxl,
-  audit deny /sys/kernel/security/apparmor/features rwxl,
-  audit deny /sys/kernel/security/apparmor/matching rwxl,
-  audit deny /sys/kernel/security/apparmor/.* rwxl,
-  /sys/kernel/security/apparmor/profiles r,
-  /usr/lib/libvirt/* PUxr,
-  /etc/libvirt/hooks/** rmix,
-  /etc/xen/scripts/** rmix,
-
-  # allow changing to our UUID-based named profiles
-  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
-
-}
diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in
new file mode 100644
index 0000000..3011eff
--- /dev/null
+++ b/examples/apparmor/usr.sbin.libvirtd.in
@@ -0,0 +1,63 @@
+# Last Modified: Mon Apr  5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability audit_write,
+
+  # Needed for vfio
+  capability sys_resource,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network packet dgram,
+
+  # Very lenient profile for libvirtd since we want to first focus on confining
+  # the guests. Guests will have a very restricted profile.
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  /usr/sbin/* PUx,
+  /lib/udev/scsi_id PUx,
+  /usr/lib/xen-common/bin/xen-toolstack PUx,
+
+  # force the use of virt-aa-helper
+  audit deny /sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  /usr/lib/libvirt/* PUxr,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+
+  # allow changing to our UUID-based named profiles
+  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+}
-- 
1.9.1

From 6692398fca733e61a4b788d800594ef06de19631 Mon Sep 17 00:00:00 2001
From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
Date: Mon, 13 Oct 2014 11:43:26 +0200
Subject: [PATCH 2/2] examples/apparmor: Update profiles with Ubuntu delta

Merge back the delta Ubuntu carries. Rules for features only available
in newer versions of apparmor are wrapped by the new version markers.

Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
---
 examples/apparmor/Makefile.am                      | 15 ++++++++++-
 examples/apparmor/libvirt-lxc.in                   | 17 +++++++++++-
 examples/apparmor/libvirt-qemu.in                  | 31 +++++++++++++++++++++-
 examples/apparmor/local-usr.sbin.libvirtd.in       |  2 ++
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in     | 25 ++++++++++++++---
 examples/apparmor/usr.sbin.libvirtd.in             | 19 ++++++++++++-
 6 files changed, 102 insertions(+), 7 deletions(-)
 create mode 100644 examples/apparmor/local-usr.sbin.libvirtd.in

diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 8d301da..d57e78e 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -22,6 +22,7 @@ EXTRA_DIST=				\
 	libvirt-qemu			\
 	libvirt-lxc 			\
 	usr.lib.libvirt.virt-aa-helper	\
+	local-usr.sbin.libvirtd		\
 	usr.sbin.libvirtd
 
 if WITH_APPARMOR_PROFILES
@@ -31,6 +32,15 @@ apparmor_DATA = \
 	usr.sbin.libvirtd \
 	$(NULL)
 
+localdir = $(apparmordir)/local
+local_DATA = \
+	local-usr.sbin.libvirtd \
+	$(NULL)
+
+install-data-hook:
+	mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+	   $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+
 abstractionsdir = $(apparmordir)/abstractions
 abstractions_DATA = \
 	libvirt-qemu \
@@ -55,7 +65,10 @@ usr.lib.libvirt.virt-aa-helper:	$(srcdir)/usr.lib.libvirt.virt-aa-helper.in \
 usr.sbin.libvirtd:	$(srcdir)/usr.sbin.libvirtd.in \
 			$(srcdir)/profile-preprocess ../../config.h
 	$(srcdir)/profile-preprocess $< >$@
+local-usr.sbin.libvirtd:	$(srcdir)/local-usr.sbin.libvirtd.in \
+				$(srcdir)/profile-preprocess ../../config.h
+	$(srcdir)/profile-preprocess $< >$@
 
 CLEANFILES += libvirt-lxc libvirt-qemu usr.lib.libvirt.virt-aa-helper
-CLEANFILES += usr.sbin.libvirtd
+CLEANFILES += usr.sbin.libvirtd local-usr.sbin.libvirtd
 endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in
index 4bfb503..ea226e9 100644
--- a/examples/apparmor/libvirt-lxc.in
+++ b/examples/apparmor/libvirt-lxc.in
@@ -1,12 +1,20 @@
-# Last Modified: Fri Feb  7 13:01:36 2014
+# Last Modified: Thu, 18 Sep 2014 13:56:49 +0200
 
   #include <abstractions/base>
 
   umount,
+@@ifge 2009
+  dbus,
+  signal,
+  ptrace,
+@end
 
   # ignore DENIED message on / remount
   deny mount options=(ro, remount) -> /,
 
+  # support use of cgmanager proxy
+  mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+
   # allow tmpfs mounts everywhere
   mount fstype=tmpfs,
 
@@ -33,8 +41,15 @@
   mount fstype=fusectl -> /sys/fs/fuse/connections/,
   mount fstype=securityfs -> /sys/kernel/security/,
   mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
   mount fstype=proc -> /proc/,
   mount fstype=sysfs -> /sys/,
+
+  mount options=(rw nosuid nodev noexec remount) -> /sys/,
+  mount options=(rw remount) -> /sys/kernel/security/,
+  mount options=(rw remount) -> /sys/fs/pstore/,
+  mount options=(ro remount) -> /sys/fs/pstore/,
+
   deny /sys/firmware/efi/efivars/** rwklx,
   deny /sys/kernel/security/** rwklx,
 
diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in
index c6de6dd..b69e64c 100644
--- a/examples/apparmor/libvirt-qemu.in
+++ b/examples/apparmor/libvirt-qemu.in
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
+# Last Modified: Thu, 18 Sep 2014 16:41:21 +0200
 
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -13,15 +13,22 @@
   capability setgid,
   capability setuid,
 
+  # this is needed with libcap-ng support, however it breaks a lot of things
+  # atm, so just silence the denial until libcap-ng works right. LP: #522845
+  deny capability setpcap,
+
   network inet stream,
   network inet6 stream,
 
   /dev/net/tun rw,
+  /dev/tap* rw,
   /dev/kvm rw,
   /dev/ptmx rw,
   /dev/kqemu rw,
   @{PROC}/*/status r,
   @{PROC}/sys/kernel/cap_last_cap r,
+  owner @{PROC}/*/auxv r,
+  @{PROC}/sys/vm/overcommit_memory r,
 
   # For hostdev access. The actual devices will be added dynamically
   /sys/bus/usb/devices/ r,
@@ -38,6 +45,9 @@
   /dev/snd/* rw,
   capability ipc_lock,
   # spice
+  /usr/bin/qemu-system-i386-spice rmix,
+  /usr/bin/qemu-system-x86_64-spice rmix,
+  /{dev,run}/shm/ r,
   owner /{dev,run}/shm/spice.* rw,
   # 'kill' is not required for sound and is a security risk. Do not enable
   # unless you absolutely need it.
@@ -73,6 +83,7 @@
   # the various binaries
   /usr/bin/kvm rmix,
   /usr/bin/qemu rmix,
+  /usr/bin/qemu-system-aarch64 rmix,
   /usr/bin/qemu-system-arm rmix,
   /usr/bin/qemu-system-cris rmix,
   /usr/bin/qemu-system-i386 rmix,
@@ -91,6 +102,7 @@
   /usr/bin/qemu-system-sparc rmix,
   /usr/bin/qemu-system-sparc64 rmix,
   /usr/bin/qemu-system-x86_64 rmix,
+  /usr/bin/qemu-system-x86_64-spice rmix,
   /usr/bin/qemu-alpha rmix,
   /usr/bin/qemu-arm rmix,
   /usr/bin/qemu-armeb rmix,
@@ -117,6 +129,16 @@
   /bin/dash rmix,
   /bin/dd rmix,
   /bin/cat rmix,
+  /etc/pki/CA/ r,
+  /etc/pki/CA/* r,
+  /etc/pki/libvirt/ r,
+  /etc/pki/libvirt/** r,
+
+  # for rbd
+  /etc/ceph/ceph.conf r,
+
+  # for access to hugepages
+  owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
 
   # for usb access
   /dev/bus/usb/ r,
@@ -124,6 +146,13 @@
   /sys/bus/ r,
   /sys/class/ r,
 
+  signal (receive) peer=/usr/sbin/libvirtd,
+  ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
+  # for ppc device-tree access
+  @{PROC}/device-tree/ r,
+  @{PROC}/device-tree/** r,
+
   /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
   # child profile for bridge helper process
   profile qemu_bridge_helper {
diff --git a/examples/apparmor/local-usr.sbin.libvirtd.in b/examples/apparmor/local-usr.sbin.libvirtd.in
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd.in
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
index bceaaff..4df86b0 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -1,8 +1,9 @@
-# Last Modified: Mon Apr  5 15:10:27 2010
+# Last Modified: Thu, 18 Sep 2014 14:05:36 +0200
 #include <tunables/global>
 
 /usr/lib/libvirt/virt-aa-helper {
   #include <abstractions/base>
+  #include <abstractions/user-tmp>
 
   # needed for searching directories
   capability dac_override,
@@ -19,6 +20,12 @@
   # for hostdev
   /sys/devices/ r,
   /sys/devices/** r,
+  /sys/bus/usb/devices/ r,
+  /sys/bus/usb/devices/** r,
+  deny /dev/sd* r,
+  deny /dev/dm-* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
 
   /usr/lib/libvirt/virt-aa-helper mr,
   /sbin/apparmor_parser Ux,
@@ -26,8 +33,11 @@
   /etc/apparmor.d/libvirt/* r,
   /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
 
-  # for backingstore -- allow access to non-hidden files in @{HOME} as well
-  # as storage pools
+  # For backingstore, virt-aa-helper needs to peek inside the disk image, so
+  # allow access to non-hidden files in @{HOME} as well as storage pools, and
+  # removable media and filesystems, and certain file extentions. A
+  # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+  # (but obviously the backingstore won't be added).
   audit deny @{HOME}/.* mrwkl,
   audit deny @{HOME}/.*/ rw,
   audit deny @{HOME}/.*/** mrwkl,
@@ -35,8 +45,17 @@
   audit deny @{HOME}/bin/** mrwkl,
   @{HOME}/ r,
   @{HOME}/** r,
+  @{HOME}/.Private/** mrwlk,
+  @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
+
   /var/lib/libvirt/images/ r,
   /var/lib/libvirt/images/** r,
+  /var/lib/nova/images/** r,
+  /var/lib/nova/instances/_base/** r,
+  /var/lib/nova/instances/snapshots/** r,
+  /var/lib/eucalyptus/instances/**/disk* r,
+  /var/lib/eucalyptus/instances/**/loader* r,
+  /var/lib/uvtool/libvirt/images/** r,
   /{media,mnt,opt,srv}/** r,
 
   /**.img r,
diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in
index 3011eff..a489760 100644
--- a/examples/apparmor/usr.sbin.libvirtd.in
+++ b/examples/apparmor/usr.sbin.libvirtd.in
@@ -1,10 +1,12 @@
-# Last Modified: Mon Apr  5 15:03:58 2010
+# Last Modified: Tue, 23 Sep 2014 09:28:07 +0200
 #include <tunables/global>
 @{LIBVIRT}="libvirt"
 
 /usr/sbin/libvirtd {
   #include <abstractions/base>
   #include <abstractions/dbus>
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.libvirtd>
 
   capability kill,
   capability net_admin,
@@ -23,6 +25,7 @@
   capability setpcap,
   capability mknod,
   capability fsetid,
+  capability ipc_lock,
   capability audit_write,
 
   # Needed for vfio
@@ -33,6 +36,14 @@
   network inet6 stream,
   network inet6 dgram,
   network packet dgram,
+  network netlink,
+
+@@ifge 2009
+  dbus bus=system,
+  signal,
+  ptrace,
+  unix,
+@@end
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.
@@ -45,6 +56,12 @@
   /usr/sbin/* PUx,
   /lib/udev/scsi_id PUx,
   /usr/lib/xen-common/bin/xen-toolstack PUx,
+  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/lib/xen-*/bin/libxl-save-helper PUx,
+
+  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+  # write and run an ebtables script.
+  /var/lib/libvirt/virtd* ixr,
 
   # force the use of virt-aa-helper
   audit deny /sbin/apparmor_parser rwxl,
-- 
1.9.1

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]