[PATCH 3/4] apparmor: allow expected /tmp access patterns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Several cases were found needing /tmp, for example ceph will try to list /tmp
and the samba feature of qemu will place things in /tmp/qemu-smb.*.
This is sort of safe because:
 - While /tmp could contain anything it is not recommended to put critical
   data there anyway
 - We restrict general access to only dir listing and reading of files owned
   (intentionally not the full power of user-tmp abstraction)
 - While it would be hard to predict the PID as part of the string for the
   qemu smb feature (this is not exposed through XML so virt-aa-helper
   can't help) it is guarded by the "owner" statement and a pretty clear
   qemu-smb infix in the path.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
 examples/apparmor/libvirt-qemu | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 5caf14e418..c4f231b328 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -180,6 +180,16 @@
   # for rbd
   /etc/ceph/ceph.conf r,
 
+  # various functions will need /tmp (e.g. ceph), allow the base dir and a
+  # few known functions.
+  # we want to avoid to give blanket read or even write to everything under /tmp
+  # so users are expected to add site specific addons for more uncommon cases.
+  # allow only dir listing and owner based file read
+  /{,var/}tmp/ r,
+  owner /{,var/}tmp/**/ r,
+  # allow qemu smb feature specific path with write access
+  owner /tmp/qemu-smb.*/{,**} rw,
+
   # for file-posix getting limits since 9103f1ce
   /sys/devices/**/block/*/queue/max_segments r,
 
-- 
2.17.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux