On 20.10.2014 12:48, Stefan Bader wrote: > On 19.10.2014 17:07, intrigeri wrote: >> Hi Stefan, >> >> Stefan Bader wrote (19 Oct 2014 11:07:40 GMT) : >>> Yeah, I actually did but it felt a bit hackish but then I am told anything looks >>> a bit hackish when it involves autoconf. These are again against upstream >>> libvirt mostly because the last touch timestamps always clash otherwise. >> >> Cool, I've tested this. I've imported these two patches in Debian's >> 1.2.9-3 quilt series, made the build system use dh-autoreconf (the >> build system in the tarball wants aclocal 1.13, while Debian sid has >> 1.14), and added a build-dep on libapparmor-dev to get the needed >> pkg-config file. >> >> Attempting to build the resulting source package in a clean sid chroot >> fails here: >> >> Making all in examples/apparmor >> make[3]: Entering directory '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor' >> make[3]: Circular ../../config.h <- ../../config.h dependency dropped. >> ./profile-preprocess ../../../../examples/apparmor/libvirt-qemu.in >libvirt-qemu >> ./profile-preprocess ../../../../examples/apparmor/libvirt-lxc.in >libvirt-lxc >> ./profile-preprocess ../../../../examples/apparmor/usr.lib.libvirt.virt-aa-helper.in >usr.lib.libvirt.virt-aa-helper >> ./profile-preprocess ../../../../examples/apparmor/usr.sbin.libvirtd.in >usr.sbin.libvirtd >> make[3]: *** No rule to make target 'local-usr.sbin.libvirtd', needed by 'all-am'. Stop. >> make[3]: *** Waiting for unfinished jobs.... >> /bin/bash: ./profile-preprocess: No such file or directory >> /bin/bash: ./profile-preprocess: No such file or directory >> Makefile:2068: recipe for target 'libvirt-qemu' failed >> make[3]: *** [libvirt-qemu] Error 127 >> Makefile:2068: recipe for target 'libvirt-lxc' failed >> make[3]: *** [libvirt-lxc] Error 127 >> /bin/bash: ./profile-preprocess: No such file or directory >> /bin/bash: ./profile-preprocess: No such file or directory >> Makefile:2068: recipe for target 'usr.lib.libvirt.virt-aa-helper' failed >> make[3]: *** [usr.lib.libvirt.virt-aa-helper] Error 127 >> Makefile:2068: recipe for target 'usr.sbin.libvirtd' failed >> make[3]: *** [usr.sbin.libvirtd] Error 127 >> make[3]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build/examples/apparmor' >> Makefile:1979: recipe for target 'all-recursive' failed >> make[2]: *** [all-recursive] Error 1 >> make[2]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build' >> Makefile:1877: recipe for target 'all' failed >> make[1]: *** [all] Error 2 >> make[1]: Leaving directory '/tmp/buildd/libvirt-1.2.9/debian/build' >> dh_auto_build: make -j5 returned exit code 2 >> debian/rules:126: recipe for target 'build' failed >> make: *** [build] Error 2 >> >> Any hint? > > Hm, partially this sounds like the preprocess script is not where it should be > and the other part looks like not finding any local-usr-sbin. Could likely be > that I need to do something better to make things work in place (as the upstream > libvirt instructions suggest) as well as with separate object tree (as it is in > Debian). I also saw something about circular dependency on config.h which > probably slipped my attention. For most of the problems I guess adding something > like $(srcdir) (need to look what this would be actually called) to the > pre-process scripts path as well as to the .in files.. Turns out that this first attempt was not too good at all. First it does not help to mis-name the new local .in file. Then, using the wildcard form actually causes many more files to be touched than intended (the circular reference hinted that). Lastly I found it might be good to also do something about cleanup. Hope this version works better in general. -Stefan
From 3715e3a3aa29543e38afc6ec97296866b2977e11 Mon Sep 17 00:00:00 2001 From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Date: Mon, 13 Oct 2014 11:31:59 +0200 Subject: [PATCH 1/2] examples/apparmor: Add ability to add versioned features Adds APPARMOR_VERSION_NUMBER to config.h which by default is set to the apparmor library version (<major>*1000+<minor). It can be overriden by the distro by supplyig --with-apparmor-profiles-version=<version>. Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx> --- configure.ac | 22 ++++ examples/apparmor/Makefile.am | 18 +++ examples/apparmor/libvirt-lxc | 116 ----------------- examples/apparmor/libvirt-lxc.in | 116 +++++++++++++++++ examples/apparmor/libvirt-qemu | 144 --------------------- examples/apparmor/libvirt-qemu.in | 144 +++++++++++++++++++++ examples/apparmor/profile-preprocess | 21 +++ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 48 ------- .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 48 +++++++ examples/apparmor/usr.sbin.libvirtd | 63 --------- examples/apparmor/usr.sbin.libvirtd.in | 63 +++++++++ 11 files changed, 432 insertions(+), 371 deletions(-) delete mode 100644 examples/apparmor/libvirt-lxc create mode 100644 examples/apparmor/libvirt-lxc.in delete mode 100644 examples/apparmor/libvirt-qemu create mode 100644 examples/apparmor/libvirt-qemu.in create mode 100755 examples/apparmor/profile-preprocess delete mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper create mode 100644 examples/apparmor/usr.lib.libvirt.virt-aa-helper.in delete mode 100644 examples/apparmor/usr.sbin.libvirtd create mode 100644 examples/apparmor/usr.sbin.libvirtd.in diff --git a/configure.ac b/configure.ac index f7b02ff..42cf073 100644 --- a/configure.ac +++ b/configure.ac @@ -1490,6 +1490,28 @@ if test "$with_apparmor" = "no"; then fi AM_CONDITIONAL([WITH_APPARMOR_PROFILES], [test "$with_apparmor_profiles" != "no"]) +AC_ARG_WITH([apparmor-profiles-version], + [AS_HELP_STRING([--with-apparmor-profiles-version], + [install apparmor profiles for apparmor version @<:@default=check@:>@])], + [], + [with_apparmor_profiles_version=check]) +if test "$with_apparmor_profiles" = "no"; then + with_apparmor_profiles_version="no" +fi +if test "$with_apparmor_profiles_version" = "check"; then + APPARMOR_VERSION=`pkg-config --modversion libapparmor|cut -d. -f1-2` +elif test "$with_apparmor_profiles_version" != "no"; then + APPARMOR_VERSION=$withval +fi +if test "$with_apparmor_profiles_version" != "no"; then + APPARMOR_MAJOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f1` + APPARMOR_MINOR_VERSION=`echo $APPARMOR_VERSION|cut -d. -f2` + APPARMOR_VERSION_NUMBER=`expr $APPARMOR_MAJOR_VERSION \* 1000 + $APPARMOR_MINOR_VERSION` + AC_DEFINE_UNQUOTED([APPARMOR_VERSION_NUMBER], + $APPARMOR_VERSION_NUMBER, + [Version number of apparmor library (for profile features)]) +fi + dnl DTrace static probes AC_ARG_WITH([dtrace], [AS_HELP_STRING([--with-dtrace], diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am index 7a20e16..8d301da 100644 --- a/examples/apparmor/Makefile.am +++ b/examples/apparmor/Makefile.am @@ -14,6 +14,8 @@ ## License along with this library. If not, see ## <http://www.gnu.org/licenses/>. +CLEANFILES= + EXTRA_DIST= \ TEMPLATE.qemu \ TEMPLATE.lxc \ @@ -40,4 +42,20 @@ templates_DATA = \ TEMPLATE.qemu \ TEMPLATE.lxc \ $(NULL) + +libvirt-lxc: $(srcdir)/libvirt-lxc.in $(srcdir)/profile-preprocess \ + ../../config.h + $(srcdir)/profile-preprocess $< >$@ +libvirt-qemu: $(srcdir)/libvirt-qemu.in $(srcdir)/profile-preprocess \ + ../../config.h + $(srcdir)/profile-preprocess $< >$@ +usr.lib.libvirt.virt-aa-helper: $(srcdir)/usr.lib.libvirt.virt-aa-helper.in \ + $(srcdir)/profile-preprocess ../../config.h + $(srcdir)/profile-preprocess $< >$@ +usr.sbin.libvirtd: $(srcdir)/usr.sbin.libvirtd.in \ + $(srcdir)/profile-preprocess ../../config.h + $(srcdir)/profile-preprocess $< >$@ + +CLEANFILES += libvirt-lxc libvirt-qemu usr.lib.libvirt.virt-aa-helper +CLEANFILES += usr.sbin.libvirtd endif WITH_APPARMOR_PROFILES diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc deleted file mode 100644 index 4bfb503..0000000 --- a/examples/apparmor/libvirt-lxc +++ /dev/null @@ -1,116 +0,0 @@ -# Last Modified: Fri Feb 7 13:01:36 2014 - - #include <abstractions/base> - - umount, - - # ignore DENIED message on / remount - deny mount options=(ro, remount) -> /, - - # allow tmpfs mounts everywhere - mount fstype=tmpfs, - - # allow mqueue mounts everywhere - mount fstype=mqueue, - - # allow fuse mounts everywhere - mount fstype=fuse.*, - - # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted - mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, - deny @{PROC}/sys/fs/** wklx, - - # allow efivars to be mounted, writing to it will be blocked though - mount fstype=efivarfs -> /sys/firmware/efi/efivars/, - - # block some other dangerous paths - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - - # deny writes in /sys except for /sys/fs/cgroup, also allow - # fusectl, securityfs and debugfs to be mounted there (read-only) - mount fstype=fusectl -> /sys/fs/fuse/connections/, - mount fstype=securityfs -> /sys/kernel/security/, - mount fstype=debugfs -> /sys/kernel/debug/, - mount fstype=proc -> /proc/, - mount fstype=sysfs -> /sys/, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - - # generated by: lxc-generate-aa-rules.py container-rules.base - deny /proc/sys/[^kn]*{,/**} wklx, - deny /proc/sys/k[^e]*{,/**} wklx, - deny /proc/sys/ke[^r]*{,/**} wklx, - deny /proc/sys/ker[^n]*{,/**} wklx, - deny /proc/sys/kern[^e]*{,/**} wklx, - deny /proc/sys/kerne[^l]*{,/**} wklx, - deny /proc/sys/kernel/[^smhd]*{,/**} wklx, - deny /proc/sys/kernel/d[^o]*{,/**} wklx, - deny /proc/sys/kernel/do[^m]*{,/**} wklx, - deny /proc/sys/kernel/dom[^a]*{,/**} wklx, - deny /proc/sys/kernel/doma[^i]*{,/**} wklx, - deny /proc/sys/kernel/domai[^n]*{,/**} wklx, - deny /proc/sys/kernel/domain[^n]*{,/**} wklx, - deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, - deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, - deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/domainname?*{,/**} wklx, - deny /proc/sys/kernel/h[^o]*{,/**} wklx, - deny /proc/sys/kernel/ho[^s]*{,/**} wklx, - deny /proc/sys/kernel/hos[^t]*{,/**} wklx, - deny /proc/sys/kernel/host[^n]*{,/**} wklx, - deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, - deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, - deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, - deny /proc/sys/kernel/hostname?*{,/**} wklx, - deny /proc/sys/kernel/m[^s]*{,/**} wklx, - deny /proc/sys/kernel/ms[^g]*{,/**} wklx, - deny /proc/sys/kernel/msg*/** wklx, - deny /proc/sys/kernel/s[^he]*{,/**} wklx, - deny /proc/sys/kernel/se[^m]*{,/**} wklx, - deny /proc/sys/kernel/sem*/** wklx, - deny /proc/sys/kernel/sh[^m]*{,/**} wklx, - deny /proc/sys/kernel/shm*/** wklx, - deny /proc/sys/kernel?*{,/**} wklx, - deny /proc/sys/n[^e]*{,/**} wklx, - deny /proc/sys/ne[^t]*{,/**} wklx, - deny /proc/sys/net?*{,/**} wklx, - deny /sys/[^fdc]*{,/**} wklx, - deny /sys/c[^l]*{,/**} wklx, - deny /sys/cl[^a]*{,/**} wklx, - deny /sys/cla[^s]*{,/**} wklx, - deny /sys/clas[^s]*{,/**} wklx, - deny /sys/class/[^n]*{,/**} wklx, - deny /sys/class/n[^e]*{,/**} wklx, - deny /sys/class/ne[^t]*{,/**} wklx, - deny /sys/class/net?*{,/**} wklx, - deny /sys/class?*{,/**} wklx, - deny /sys/d[^e]*{,/**} wklx, - deny /sys/de[^v]*{,/**} wklx, - deny /sys/dev[^i]*{,/**} wklx, - deny /sys/devi[^c]*{,/**} wklx, - deny /sys/devic[^e]*{,/**} wklx, - deny /sys/device[^s]*{,/**} wklx, - deny /sys/devices/[^v]*{,/**} wklx, - deny /sys/devices/v[^i]*{,/**} wklx, - deny /sys/devices/vi[^r]*{,/**} wklx, - deny /sys/devices/vir[^t]*{,/**} wklx, - deny /sys/devices/virt[^u]*{,/**} wklx, - deny /sys/devices/virtu[^a]*{,/**} wklx, - deny /sys/devices/virtua[^l]*{,/**} wklx, - deny /sys/devices/virtual/[^n]*{,/**} wklx, - deny /sys/devices/virtual/n[^e]*{,/**} wklx, - deny /sys/devices/virtual/ne[^t]*{,/**} wklx, - deny /sys/devices/virtual/net?*{,/**} wklx, - deny /sys/devices/virtual?*{,/**} wklx, - deny /sys/devices?*{,/**} wklx, - deny /sys/f[^s]*{,/**} wklx, - deny /sys/fs/[^c]*{,/**} wklx, - deny /sys/fs/c[^g]*{,/**} wklx, - deny /sys/fs/cg[^r]*{,/**} wklx, - deny /sys/fs/cgr[^o]*{,/**} wklx, - deny /sys/fs/cgro[^u]*{,/**} wklx, - deny /sys/fs/cgrou[^p]*{,/**} wklx, - deny /sys/fs/cgroup?*{,/**} wklx, - deny /sys/fs?*{,/**} wklx, diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in new file mode 100644 index 0000000..4bfb503 --- /dev/null +++ b/examples/apparmor/libvirt-lxc.in @@ -0,0 +1,116 @@ +# Last Modified: Fri Feb 7 13:01:36 2014 + + #include <abstractions/base> + + umount, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu deleted file mode 100644 index c6de6dd..0000000 --- a/examples/apparmor/libvirt-qemu +++ /dev/null @@ -1,144 +0,0 @@ -# Last Modified: Wed Sep 3 21:52:03 2014 - - #include <abstractions/base> - #include <abstractions/consoles> - #include <abstractions/nameservice> - - # required for reading disk images - capability dac_override, - capability dac_read_search, - capability chown, - - # needed to drop privileges - capability setgid, - capability setuid, - - network inet stream, - network inet6 stream, - - /dev/net/tun rw, - /dev/kvm rw, - /dev/ptmx rw, - /dev/kqemu rw, - @{PROC}/*/status r, - @{PROC}/sys/kernel/cap_last_cap r, - - # For hostdev access. The actual devices will be added dynamically - /sys/bus/usb/devices/ r, - /sys/devices/**/usb[0-9]*/** r, - - # WARNING: this gives the guest direct access to host hardware and specific - # portions of shared memory. This is required for sound using ALSA with kvm, - # but may constitute a security risk. If your environment does not require - # the use of sound in your VMs, feel free to comment out or prepend 'deny' to - # the rules for files in /dev. - /{dev,run}/shm r, - /{dev,run}/shmpulse-shm* r, - /{dev,run}/shmpulse-shm* rwk, - /dev/snd/* rw, - capability ipc_lock, - # spice - owner /{dev,run}/shm/spice.* rw, - # 'kill' is not required for sound and is a security risk. Do not enable - # unless you absolutely need it. - deny capability kill, - - # Uncomment the following if you need access to /dev/fb* - #/dev/fb* rw, - - /etc/pulse/client.conf r, - @{HOME}/.pulse-cookie rwk, - owner /root/.pulse-cookie rwk, - owner /root/.pulse/ rw, - owner /root/.pulse/* rw, - /usr/share/alsa/** r, - owner /tmp/pulse-*/ rw, - owner /tmp/pulse-*/* rw, - /var/lib/dbus/machine-id r, - - # access to firmware's etc - /usr/share/kvm/** r, - /usr/share/qemu/** r, - /usr/share/bochs/** r, - /usr/share/openbios/** r, - /usr/share/openhackware/** r, - /usr/share/proll/** r, - /usr/share/vgabios/** r, - /usr/share/seabios/** r, - /usr/share/ovmf/** r, - - # access PKI infrastructure - /etc/pki/libvirt-vnc/** r, - - # the various binaries - /usr/bin/kvm rmix, - /usr/bin/qemu rmix, - /usr/bin/qemu-system-arm rmix, - /usr/bin/qemu-system-cris rmix, - /usr/bin/qemu-system-i386 rmix, - /usr/bin/qemu-system-m68k rmix, - /usr/bin/qemu-system-microblaze rmix, - /usr/bin/qemu-system-microblazeel rmix, - /usr/bin/qemu-system-mips rmix, - /usr/bin/qemu-system-mips64 rmix, - /usr/bin/qemu-system-mips64el rmix, - /usr/bin/qemu-system-mipsel rmix, - /usr/bin/qemu-system-ppc rmix, - /usr/bin/qemu-system-ppc64 rmix, - /usr/bin/qemu-system-ppcemb rmix, - /usr/bin/qemu-system-sh4 rmix, - /usr/bin/qemu-system-sh4eb rmix, - /usr/bin/qemu-system-sparc rmix, - /usr/bin/qemu-system-sparc64 rmix, - /usr/bin/qemu-system-x86_64 rmix, - /usr/bin/qemu-alpha rmix, - /usr/bin/qemu-arm rmix, - /usr/bin/qemu-armeb rmix, - /usr/bin/qemu-cris rmix, - /usr/bin/qemu-i386 rmix, - /usr/bin/qemu-m68k rmix, - /usr/bin/qemu-microblaze rmix, - /usr/bin/qemu-microblazeel rmix, - /usr/bin/qemu-mips rmix, - /usr/bin/qemu-mipsel rmix, - /usr/bin/qemu-ppc rmix, - /usr/bin/qemu-ppc64 rmix, - /usr/bin/qemu-ppc64abi32 rmix, - /usr/bin/qemu-sh4 rmix, - /usr/bin/qemu-sh4eb rmix, - /usr/bin/qemu-sparc rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-sparc32plus rmix, - /usr/bin/qemu-sparc64 rmix, - /usr/bin/qemu-x86_64 rmix, - /usr/lib/qemu/block-curl.so mr, - - # for save and resume - /bin/dash rmix, - /bin/dd rmix, - /bin/cat rmix, - - # for usb access - /dev/bus/usb/ r, - /etc/udev/udev.conf r, - /sys/bus/ r, - /sys/class/ r, - - /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, - # child profile for bridge helper process - profile qemu_bridge_helper { - #include <abstractions/base> - - capability setuid, - capability setgid, - capability setpcap, - capability net_admin, - - network inet stream, - - /dev/net/tun rw, - /etc/qemu/** r, - owner @{PROC}/*/status r, - - /usr/{lib,libexec}/qemu-bridge-helper rmix, - } diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in new file mode 100644 index 0000000..c6de6dd --- /dev/null +++ b/examples/apparmor/libvirt-qemu.in @@ -0,0 +1,144 @@ +# Last Modified: Wed Sep 3 21:52:03 2014 + + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, + @{PROC}/sys/kernel/cap_last_cap r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/**/usb[0-9]*/** r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + /dev/snd/* rw, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/kvm/** r, + /usr/share/qemu/** r, + /usr/share/bochs/** r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/proll/** r, + /usr/share/vgabios/** r, + /usr/share/seabios/** r, + /usr/share/ovmf/** r, + + # access PKI infrastructure + /etc/pki/libvirt-vnc/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr, + + # for save and resume + /bin/dash rmix, + /bin/dd rmix, + /bin/cat rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include <abstractions/base> + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,libexec}/qemu-bridge-helper rmix, + } diff --git a/examples/apparmor/profile-preprocess b/examples/apparmor/profile-preprocess new file mode 100755 index 0000000..684958a --- /dev/null +++ b/examples/apparmor/profile-preprocess @@ -0,0 +1,21 @@ +#!/bin/sh + +PROFILES_VERSION=$( + awk '$1=="#define" && $2=="APPARMOR_VERSION_NUMBER"{ + print $3 + }' ../../config.h) + +awk -vVERSION=$PROFILES_VERSION ' +$1 == "@@ifge" { + if (VERSION < $2) + skip=1 + next +} +$1 == "@@end"{ + skip=0 + next +} +!skip{ + print +} +' $1 diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper deleted file mode 100644 index bceaaff..0000000 --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper +++ /dev/null @@ -1,48 +0,0 @@ -# Last Modified: Mon Apr 5 15:10:27 2010 -#include <tunables/global> - -/usr/lib/libvirt/virt-aa-helper { - #include <abstractions/base> - - # needed for searching directories - capability dac_override, - capability dac_read_search, - - # needed for when disk is on a network filesystem - network inet, - - deny @{PROC}/[0-9]*/mounts r, - @{PROC}/[0-9]*/net/psched r, - owner @{PROC}/[0-9]*/status r, - @{PROC}/filesystems r, - - # for hostdev - /sys/devices/ r, - /sys/devices/** r, - - /usr/lib/libvirt/virt-aa-helper mr, - /sbin/apparmor_parser Ux, - - /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, - - # for backingstore -- allow access to non-hidden files in @{HOME} as well - # as storage pools - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - @{HOME}/ r, - @{HOME}/** r, - /var/lib/libvirt/images/ r, - /var/lib/libvirt/images/** r, - /{media,mnt,opt,srv}/** r, - - /**.img r, - /**.qcow{,2} r, - /**.qed r, - /**.vmdk r, - /**.[iI][sS][oO] r, - /**/disk{,.*} r, -} diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in new file mode 100644 index 0000000..bceaaff --- /dev/null +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -0,0 +1,48 @@ +# Last Modified: Mon Apr 5 15:10:27 2010 +#include <tunables/global> + +/usr/lib/libvirt/virt-aa-helper { + #include <abstractions/base> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + + /usr/lib/libvirt/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + /{media,mnt,opt,srv}/** r, + + /**.img r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, +} diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd deleted file mode 100644 index 3011eff..0000000 --- a/examples/apparmor/usr.sbin.libvirtd +++ /dev/null @@ -1,63 +0,0 @@ -# Last Modified: Mon Apr 5 15:03:58 2010 -#include <tunables/global> -@{LIBVIRT}="libvirt" - -/usr/sbin/libvirtd { - #include <abstractions/base> - #include <abstractions/dbus> - - capability kill, - capability net_admin, - capability net_raw, - capability setgid, - capability sys_admin, - capability sys_module, - capability sys_ptrace, - capability sys_nice, - capability sys_chroot, - capability setuid, - capability dac_override, - capability dac_read_search, - capability fowner, - capability chown, - capability setpcap, - capability mknod, - capability fsetid, - capability audit_write, - - # Needed for vfio - capability sys_resource, - - network inet stream, - network inet dgram, - network inet6 stream, - network inet6 dgram, - network packet dgram, - - # Very lenient profile for libvirtd since we want to first focus on confining - # the guests. Guests will have a very restricted profile. - / r, - /** rwmkl, - - /bin/* PUx, - /sbin/* PUx, - /usr/bin/* PUx, - /usr/sbin/* PUx, - /lib/udev/scsi_id PUx, - /usr/lib/xen-common/bin/xen-toolstack PUx, - - # force the use of virt-aa-helper - audit deny /sbin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, - audit deny /sys/kernel/security/apparmor/features rwxl, - audit deny /sys/kernel/security/apparmor/matching rwxl, - audit deny /sys/kernel/security/apparmor/.* rwxl, - /sys/kernel/security/apparmor/profiles r, - /usr/lib/libvirt/* PUxr, - /etc/libvirt/hooks/** rmix, - /etc/xen/scripts/** rmix, - - # allow changing to our UUID-based named profiles - change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, - -} diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in new file mode 100644 index 0000000..3011eff --- /dev/null +++ b/examples/apparmor/usr.sbin.libvirtd.in @@ -0,0 +1,63 @@ +# Last Modified: Mon Apr 5 15:03:58 2010 +#include <tunables/global> +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd { + #include <abstractions/base> + #include <abstractions/dbus> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + + # Needed for vfio + capability sys_resource, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network packet dgram, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/* PUx, + /lib/udev/scsi_id PUx, + /usr/lib/xen-common/bin/xen-toolstack PUx, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/lib/libvirt/* PUxr, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +} -- 1.9.1
From 6692398fca733e61a4b788d800594ef06de19631 Mon Sep 17 00:00:00 2001
From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
Date: Mon, 13 Oct 2014 11:43:26 +0200
Subject: [PATCH 2/2] examples/apparmor: Update profiles with Ubuntu delta
Merge back the delta Ubuntu carries. Rules for features only available
in newer versions of apparmor are wrapped by the new version markers.
Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
---
examples/apparmor/Makefile.am | 15 ++++++++++-
examples/apparmor/libvirt-lxc.in | 17 +++++++++++-
examples/apparmor/libvirt-qemu.in | 31 +++++++++++++++++++++-
examples/apparmor/local-usr.sbin.libvirtd.in | 2 ++
.../apparmor/usr.lib.libvirt.virt-aa-helper.in | 25 ++++++++++++++---
examples/apparmor/usr.sbin.libvirtd.in | 19 ++++++++++++-
6 files changed, 102 insertions(+), 7 deletions(-)
create mode 100644 examples/apparmor/local-usr.sbin.libvirtd.in
diff --git a/examples/apparmor/Makefile.am b/examples/apparmor/Makefile.am
index 8d301da..d57e78e 100644
--- a/examples/apparmor/Makefile.am
+++ b/examples/apparmor/Makefile.am
@@ -22,6 +22,7 @@ EXTRA_DIST= \
libvirt-qemu \
libvirt-lxc \
usr.lib.libvirt.virt-aa-helper \
+ local-usr.sbin.libvirtd \
usr.sbin.libvirtd
if WITH_APPARMOR_PROFILES
@@ -31,6 +32,15 @@ apparmor_DATA = \
usr.sbin.libvirtd \
$(NULL)
+localdir = $(apparmordir)/local
+local_DATA = \
+ local-usr.sbin.libvirtd \
+ $(NULL)
+
+install-data-hook:
+ mv $(DESTDIR)$(localdir)/local-usr.sbin.libvirtd \
+ $(DESTDIR)$(localdir)/usr.sbin.libvirtd
+
abstractionsdir = $(apparmordir)/abstractions
abstractions_DATA = \
libvirt-qemu \
@@ -55,7 +65,10 @@ usr.lib.libvirt.virt-aa-helper: $(srcdir)/usr.lib.libvirt.virt-aa-helper.in \
usr.sbin.libvirtd: $(srcdir)/usr.sbin.libvirtd.in \
$(srcdir)/profile-preprocess ../../config.h
$(srcdir)/profile-preprocess $< >$@
+local-usr.sbin.libvirtd: $(srcdir)/local-usr.sbin.libvirtd.in \
+ $(srcdir)/profile-preprocess ../../config.h
+ $(srcdir)/profile-preprocess $< >$@
CLEANFILES += libvirt-lxc libvirt-qemu usr.lib.libvirt.virt-aa-helper
-CLEANFILES += usr.sbin.libvirtd
+CLEANFILES += usr.sbin.libvirtd local-usr.sbin.libvirtd
endif WITH_APPARMOR_PROFILES
diff --git a/examples/apparmor/libvirt-lxc.in b/examples/apparmor/libvirt-lxc.in
index 4bfb503..ea226e9 100644
--- a/examples/apparmor/libvirt-lxc.in
+++ b/examples/apparmor/libvirt-lxc.in
@@ -1,12 +1,20 @@
-# Last Modified: Fri Feb 7 13:01:36 2014
+# Last Modified: Thu, 18 Sep 2014 13:56:49 +0200
#include <abstractions/base>
umount,
+@@ifge 2009
+ dbus,
+ signal,
+ ptrace,
+@end
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
+ # support use of cgmanager proxy
+ mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
@@ -33,8 +41,15 @@
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
+
+ mount options=(rw nosuid nodev noexec remount) -> /sys/,
+ mount options=(rw remount) -> /sys/kernel/security/,
+ mount options=(rw remount) -> /sys/fs/pstore/,
+ mount options=(ro remount) -> /sys/fs/pstore/,
+
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
diff --git a/examples/apparmor/libvirt-qemu.in b/examples/apparmor/libvirt-qemu.in
index c6de6dd..b69e64c 100644
--- a/examples/apparmor/libvirt-qemu.in
+++ b/examples/apparmor/libvirt-qemu.in
@@ -1,4 +1,4 @@
-# Last Modified: Wed Sep 3 21:52:03 2014
+# Last Modified: Thu, 18 Sep 2014 16:41:21 +0200
#include <abstractions/base>
#include <abstractions/consoles>
@@ -13,15 +13,22 @@
capability setgid,
capability setuid,
+ # this is needed with libcap-ng support, however it breaks a lot of things
+ # atm, so just silence the denial until libcap-ng works right. LP: #522845
+ deny capability setpcap,
+
network inet stream,
network inet6 stream,
/dev/net/tun rw,
+ /dev/tap* rw,
/dev/kvm rw,
/dev/ptmx rw,
/dev/kqemu rw,
@{PROC}/*/status r,
@{PROC}/sys/kernel/cap_last_cap r,
+ owner @{PROC}/*/auxv r,
+ @{PROC}/sys/vm/overcommit_memory r,
# For hostdev access. The actual devices will be added dynamically
/sys/bus/usb/devices/ r,
@@ -38,6 +45,9 @@
/dev/snd/* rw,
capability ipc_lock,
# spice
+ /usr/bin/qemu-system-i386-spice rmix,
+ /usr/bin/qemu-system-x86_64-spice rmix,
+ /{dev,run}/shm/ r,
owner /{dev,run}/shm/spice.* rw,
# 'kill' is not required for sound and is a security risk. Do not enable
# unless you absolutely need it.
@@ -73,6 +83,7 @@
# the various binaries
/usr/bin/kvm rmix,
/usr/bin/qemu rmix,
+ /usr/bin/qemu-system-aarch64 rmix,
/usr/bin/qemu-system-arm rmix,
/usr/bin/qemu-system-cris rmix,
/usr/bin/qemu-system-i386 rmix,
@@ -91,6 +102,7 @@
/usr/bin/qemu-system-sparc rmix,
/usr/bin/qemu-system-sparc64 rmix,
/usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-system-x86_64-spice rmix,
/usr/bin/qemu-alpha rmix,
/usr/bin/qemu-arm rmix,
/usr/bin/qemu-armeb rmix,
@@ -117,6 +129,16 @@
/bin/dash rmix,
/bin/dd rmix,
/bin/cat rmix,
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt/ r,
+ /etc/pki/libvirt/** r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
+
+ # for access to hugepages
+ owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
# for usb access
/dev/bus/usb/ r,
@@ -124,6 +146,13 @@
/sys/bus/ r,
/sys/class/ r,
+ signal (receive) peer=/usr/sbin/libvirtd,
+ ptrace (tracedby) peer=/usr/sbin/libvirtd,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
diff --git a/examples/apparmor/local-usr.sbin.libvirtd.in b/examples/apparmor/local-usr.sbin.libvirtd.in
new file mode 100644
index 0000000..6e19f20
--- /dev/null
+++ b/examples/apparmor/local-usr.sbin.libvirtd.in
@@ -0,0 +1,2 @@
+# Site-specific additions and overrides for usr.sbin.libvirtd.
+# For more details, please see /etc/apparmor.d/local/README.
diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
index bceaaff..4df86b0 100644
--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -1,8 +1,9 @@
-# Last Modified: Mon Apr 5 15:10:27 2010
+# Last Modified: Thu, 18 Sep 2014 14:05:36 +0200
#include <tunables/global>
/usr/lib/libvirt/virt-aa-helper {
#include <abstractions/base>
+ #include <abstractions/user-tmp>
# needed for searching directories
capability dac_override,
@@ -19,6 +20,12 @@
# for hostdev
/sys/devices/ r,
/sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ /sys/bus/usb/devices/** r,
+ deny /dev/sd* r,
+ deny /dev/dm-* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
/usr/lib/libvirt/virt-aa-helper mr,
/sbin/apparmor_parser Ux,
@@ -26,8 +33,11 @@
/etc/apparmor.d/libvirt/* r,
/etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
- # for backingstore -- allow access to non-hidden files in @{HOME} as well
- # as storage pools
+ # For backingstore, virt-aa-helper needs to peek inside the disk image, so
+ # allow access to non-hidden files in @{HOME} as well as storage pools, and
+ # removable media and filesystems, and certain file extentions. A
+ # virt-aa-helper failure when checking a disk for backinsgstore is non-fatal
+ # (but obviously the backingstore won't be added).
audit deny @{HOME}/.* mrwkl,
audit deny @{HOME}/.*/ rw,
audit deny @{HOME}/.*/** mrwkl,
@@ -35,8 +45,17 @@
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** r,
+ @{HOME}/.Private/** mrwlk,
+ @{HOMEDIRS}/.ecryptfs/*/.Private/** mrwlk,
+
/var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r,
+ /var/lib/nova/images/** r,
+ /var/lib/nova/instances/_base/** r,
+ /var/lib/nova/instances/snapshots/** r,
+ /var/lib/eucalyptus/instances/**/disk* r,
+ /var/lib/eucalyptus/instances/**/loader* r,
+ /var/lib/uvtool/libvirt/images/** r,
/{media,mnt,opt,srv}/** r,
/**.img r,
diff --git a/examples/apparmor/usr.sbin.libvirtd.in b/examples/apparmor/usr.sbin.libvirtd.in
index 3011eff..a489760 100644
--- a/examples/apparmor/usr.sbin.libvirtd.in
+++ b/examples/apparmor/usr.sbin.libvirtd.in
@@ -1,10 +1,12 @@
-# Last Modified: Mon Apr 5 15:03:58 2010
+# Last Modified: Tue, 23 Sep 2014 09:28:07 +0200
#include <tunables/global>
@{LIBVIRT}="libvirt"
/usr/sbin/libvirtd {
#include <abstractions/base>
#include <abstractions/dbus>
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
capability kill,
capability net_admin,
@@ -23,6 +25,7 @@
capability setpcap,
capability mknod,
capability fsetid,
+ capability ipc_lock,
capability audit_write,
# Needed for vfio
@@ -33,6 +36,14 @@
network inet6 stream,
network inet6 dgram,
network packet dgram,
+ network netlink,
+
+@@ifge 2009
+ dbus bus=system,
+ signal,
+ ptrace,
+ unix,
+@@end
# Very lenient profile for libvirtd since we want to first focus on confining
# the guests. Guests will have a very restricted profile.
@@ -45,6 +56,12 @@
/usr/sbin/* PUx,
/lib/udev/scsi_id PUx,
/usr/lib/xen-common/bin/xen-toolstack PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # write and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
# force the use of virt-aa-helper
audit deny /sbin/apparmor_parser rwxl,
--
1.9.1
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list