Re: [PATCH] AppArmor policy: support merged-/usr.

Jamie Strandboge <jamie@xxxxxxxxxxxxx> · Mon, 05 Dec 2016 12:33:58 -0600

On Sat, 2016-12-03 at 18:32 +0000, intrigeri wrote:
> From: intrigeri <intrigeri@xxxxxxxxxx>
> 
> ---
>  examples/apparmor/libvirt-qemu                   | 8 ++++----
>  examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 +-
>  examples/apparmor/usr.sbin.libvirtd              | 4 ++--
>  3 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 11381d4..133c2eb 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -136,12 +136,12 @@
>    /usr/{lib,lib64}/qemu/block-rbd.so mr,
>  
>    # for save and resume
> -  /bin/dash rmix,
> -  /bin/dd rmix,
> -  /bin/cat rmix,
> +  /{usr/,}bin/dash rmix,
> +  /{usr/,}bin/dd rmix,
> +  /{usr/,}bin/cat rmix,
>  
>    # for restore
> -  /bin/bash rmix,
> +  /{usr/,}bin/bash rmix,
>  
>    # for usb access
>    /dev/bus/usb/ r,
> diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> index b34fb35..4a8f197 100644
> --- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> +++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
> @@ -21,7 +21,7 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-
> helper {
>    /sys/devices/** r,
>  
>    /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
> -  /sbin/apparmor_parser Ux,
> +  /{usr/,}sbin/apparmor_parser Ux,
>  
>    /etc/apparmor.d/libvirt/* r,
>    /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-
> 9a-f]* rw,
> diff --git a/examples/apparmor/usr.sbin.libvirtd
> b/examples/apparmor/usr.sbin.libvirtd
> index 48651b2..934124b 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -47,12 +47,12 @@
>    /usr/bin/* PUx,
>    /usr/sbin/virtlogd pix,
>    /usr/sbin/* PUx,
> -  /lib/udev/scsi_id PUx,
> +  /{usr/,}lib/udev/scsi_id PUx,
>    /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
>    /usr/{lib,lib64}/xen/bin/* Ux,
>  
>    # force the use of virt-aa-helper
> -  audit deny /sbin/apparmor_parser rwxl,
> +  audit deny /{usr/,}sbin/apparmor_parser rwxl,
>    audit deny /etc/apparmor.d/libvirt/** wxl,
>    audit deny /sys/kernel/security/apparmor/features rwxl,
>    audit deny /sys/kernel/security/apparmor/matching rwxl,

Changes LGTM.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment:
signature.asc

Description: This is a digitally signed message part
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list