Resubmitting based on feedback from this list. Notably, *alloc calls have been removed and syntax-check completes without error for all files. Jamie On Fri, 04 Sep 2009, Jamie Strandboge wrote: > This patch series implements the AppArmor security driver for sVirt. > This implementation was developed for the Ubuntu AppArmorLibvirtProfile > specification[1], but is general enough for any AppArmor deployment > (such as Ubuntu, *SUSE and Mandriva). > > This patch has seen quite a bit of real world testing in Ubuntu 9.10 > (our development release) in our 0.7.0-1ubuntu3 package. I did make a > few small changes after going through HACKING, but mostly I got the > tests going and added documentation. > > DESIGN > ------ > When a virtual machine is started, determine if a profile is currently > defined for the machine, and use it if available. If not, generate a new > profile for the machine based on a template, which is by default a very > restrictive profile allowing access to disk files, and anything else > needed to run, such as the pid, monitor and log files. > > Virtual machines should have a unique profile specific to that machine. > To ensure uniqueness, the profile name will be derived from the UUID of > the virtual machine. These profiles should be configurable, either by > adjusting the profile template for new machines, creating/modifying the > VM profile directly or through the use of AppArmor abstractions. This > will allow for administrators to fine-tune confinement for individual > machines if desired. > > If enabled at compile time, the sVirt security model will be activated > if AppArmor is available on the host OS and a profile for the libvirtd > daemon is loaded when libvirtd is started. > > libvirtd should not be allowed to create arbitrary profiles or modify > profiles directly, so as to not allow libvirtd to potentially (ie via a > security bug in libvirtd itself) bootstrap out of AppArmor confinement. > > Because root privileges are needed to manipulate AppArmor profiles, > qemu:///session will not be supported at this time, but the > implementation must allow for a confined libvirtd with qemu:///session > guests running unconfined. This can be revisited when AppArmor supports > per-user profiles. > > Please see the specification[1] for more details. > > > PATCHES > ------- > The patches are all against trunk as of yesterday. Testing was done on > trunk and there seem to be no regressions over the the 0.7.0-1ubuntu3 > package in Ubuntu. > > > [PATCH 1*] > patch_1a_reenable-nonfile-labels.patch: > When James Morris originally submitted his sVirt patches (as seen in > libvirt 0.6.1), he did not require on disk labelling for > virSecurityDomainRestoreImageLabel. A later commit[2] changed this > behavior to assume on disk labelling, which halts implementations for > path-based MAC systems such as AppArmor and TOMOYO where > vm->def->seclabel is required to obtain the label. This patch simply > adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel. > > patch_1b_optional.patch: > Due to the above change, 'make syntax-check' fails because > SELinuxRestoreSecurityImageLabel() does not use the 'virDomainObjPtr > vm'. patch_1b_optional.patch is a simple patch to fix this by checking > if vm->def->seclabel == NULL and returns with error if it does. I > realize this may not be desired in the long term, but it should be > harmless enough to include. > > > [PATCH 2] > patch_2_security_c.patch: > Updates src/security.c for AppArmor > > > [PATCH 3] > patch_3_security_apparmor.patch: > Adds security_apparmor.c, security_apparmor.h, virt-aa-helper.c and > updates po/POTFILES.in. virt-aa-helper.c is a new binary which is used > exclusively by the AppArmor security driver to manipulate AppArmor. > These files compile without warning and pass syntax-check. > > > [PATCH 4] > patch_4_tests.patch: > Adds tests for virt-aa-helper and the security driver. secaatest.c is > identical to seclabeltest.c except it initializes the 'apparmor' driver > instead of 'selinux'. These tests are integrated into 'make check' and > pass. > > > [PATCH 5] > patch_5_docs.patch: > Updates docs/drvqemu.html.in for AppArmor and adds profile examples to > examples/apparmor. > > > [PATCH 6] > patch_6_autoconf.patch: > Updates Makefile.am and configure.in for AppArmor. It is based on and > should operate the same as the SELinux configuration. > > > Caveats and known issues: > 1. it does not take advantage of the recent host device labelling > functionality yet > 2. it does not properly handle hot-plugging of devices yet > 3. qemu:///session runs unconfined (see above) > > > Thanks! > > Jamie (jdstrand on Freenode and OFTC) > > [1] https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile > [2] http://libvirt.org/git/?p=libvirt.git;a=commit;h=c86afc85ee0d1ec6d76c2d254ba0730427360280 > -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: Digital signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list