On Tue, 08 Sep 2009, Jamie Strandboge wrote: > > [PATCH 5] > > patch_5_docs.patch: > > Updates docs/drvqemu.html.in for AppArmor and adds profile examples to > > examples/apparmor. > > -- Jamie Strandboge | http://www.canonical.com
diff -Nurp ./libvirt.orig/docs/drvqemu.html.in ./libvirt/docs/drvqemu.html.in --- ./libvirt.orig/docs/drvqemu.html.in 2009-09-02 14:34:08.000000000 -0500 +++ ./libvirt/docs/drvqemu.html.in 2009-09-08 15:32:22.000000000 -0500 @@ -296,6 +296,72 @@ file can be used to change the setting to <code>security_driver="none"</code> </p> + <h3><a name="securitysvirtaa">AppArmor sVirt confinement</a></h3> + + <p> + When using basic AppArmor protection for the libvirtd daemon and + QEMU virtual machines, the intention is to protect the host OS + from a compromised virtual machine process. There is no protection + between guests. + </p> + + <p> + The AppArmor sVirt protection for QEMU virtual machines builds on + this basic level of protection, to also allow individual guests to + be protected from each other. + </p> + + <p> + In the sVirt model, if a profile is loaded for the libvirtd daemon, + then each <code>qemu:///system</code> QEMU virtual machine will run + starts. This generated profile uses a profile name based on the UUID + of the QEMU virtual machine and contains rules allowing access to + only the files it needs to run, such as its disks, pid file and log + files. Just before the QEMU virtual machine is started, the libvirtd + daemon will change into this unique profile, preventing the QEMU + process from accessing any file resources that are present in another + QEMU process or the host machine. + </p> + + <p> + The AppArmor sVirt implementation is flexible in that it allows an + administrator to customize the template file in + <code>/etc/apparmor.d/libvirt/TEMPLATE</code> for site-specific + access for all newly created QEMU virtual machines. Also, when a new + profile is generated, two files are created: + <code>/etc/apparmor.d/libvirt/libvirt-<uuid></code> and + <code>/etc/apparmor.d/libvirt/libvirt-<uuid>.files</code>. The + former can be fine-tuned by the administrator to allow custom access + for this particular QEMU virtual machine, and the latter will be + updated appropriately when required file access changes, such as when + a disk is added. This flexibility allows for situations such as + having one virtual machine in complain mode with all others in + enforce mode. + </p> + + <p> + While users can define their own AppArmor profile scheme, a typical + configuration will include a profile for <code>/usr/sbin/libvirtd</code>, + <code>/usr/bin/virt-aa-helper</code> (a helper program which the + libvirtd daemon uses instead of manipulating AppArmor directly), and + an abstraction to be included by <code>/etc/apparmor.d/libvirt/TEMPLATE</code> + (typically <code>/etc/apparmor.d/abstractions/libvirt-qemu</code>). + An example profile scheme can be found in the examples/apparmor + directory of the source distribution. + </p> + + <p> + If the sVirt security model is active, then the node capabilities + XML will include its details. If a virtual machine is currently + protected by the security model, then the guest XML will include + its assigned profile name. If enabled at compile time, the sVirt + security model will be activated if AppArmor is available on the host + OS and a profile for the libvirtd daemon is loaded when libvirtd is + started. To disable sVirt, and revert to the basic level of AppArmor + protection (host protection only), the <code>/etc/libvirt/qemu.conf</code> + file can be used to change the setting to <code>security_driver="none"</code>. + </p> + <h3><a name="securityacl">Cgroups device ACLs</a></h3> diff -Nurp ./libvirt.orig/examples/apparmor/libvirt-qemu ./libvirt/examples/apparmor/libvirt-qemu --- ./libvirt.orig/examples/apparmor/libvirt-qemu 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/examples/apparmor/libvirt-qemu 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,70 @@ +# Last Modified: Wed Jul 8 09:57:41 2009 + + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + # required for reading disk images + capability dac_override, + capability dac_read_search, + + network inet stream, + network inet6 stream, + + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, + /dev/kqemu rw, + + # WARNING: uncommenting these gives the guest direct access to host hardware. + # This is required for USB pass through but is a security risk. You have been + # warned. + #/sys/bus/usb/devices/ r, + #/sys/devices/*/*/usb[0-9]*/** r, + #/dev/bus/usb/*/[0-9]* rw, + + /usr/share/kvm/** r, + /usr/share/qemu/** r, + /usr/share/bochs/** r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/proll/** r, + /usr/share/vgabios/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-x86_64 rmix, diff -Nurp ./libvirt.orig/examples/apparmor/TEMPLATE ./libvirt/examples/apparmor/TEMPLATE --- ./libvirt.orig/examples/apparmor/TEMPLATE 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/examples/apparmor/TEMPLATE 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include <tunables/global> + +profile LIBVIRT_TEMPLATE { + #include <abstractions/libvirt-qemu> +} diff -Nurp ./libvirt.orig/examples/apparmor/usr.bin.virt-aa-helper ./libvirt/examples/apparmor/usr.bin.virt-aa-helper --- ./libvirt.orig/examples/apparmor/usr.bin.virt-aa-helper 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/examples/apparmor/usr.bin.virt-aa-helper 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,22 @@ +# Last Modified: Mon Jul 06 17:22:37 2009 +#include <tunables/global> + +/usr/bin/virt-aa-helper { + #include <abstractions/base> + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + + /usr/bin/virt-aa-helper mr, + /sbin/apparmor_parser Ux, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, +} diff -Nurp ./libvirt.orig/examples/apparmor/usr.sbin.libvirtd ./libvirt/examples/apparmor/usr.sbin.libvirtd --- ./libvirt.orig/examples/apparmor/usr.sbin.libvirtd 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/examples/apparmor/usr.sbin.libvirtd 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,39 @@ +# Last Modified: Mon Jul 6 17:23:58 2009 +#include <tunables/global> +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd { + #include <abstractions/base> + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + + network inet stream, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + /** rwmkl, + + /bin/* Ux, + /sbin/* Ux, + /usr/bin/* Ux, + /usr/sbin/* Ux, + + # force the use of virt-aa-helper + audit deny /sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/bin/virt-aa-helper Pxr, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + +}
Attachment:
signature.asc
Description: Digital signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list