This is a continuation of https://www.redhat.com/archives/libvir-list/2020-August/msg00804.html https://www.redhat.com/archives/libvir-list/2020-August/msg00922.html It still has too many weak points left, but should be great as an RFC already. virtiofsd works for me using that profile, but we need to: - agree on common paths to expect for virtiofsd - get the post pivot_root rules under control --- virtiofsd runs as root and is reachable from the guest, to limit the exploit potential this adds a apparmor subprofile to virtiofsd as spawned by libvirt to limit it. Known TODOs: - rules after pivot_root need not to allow everything - settle on common paths with the community Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> --- src/security/apparmor/libvirt-qemu | 3 ++ src/security/apparmor/usr.sbin.libvirtd.in | 46 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index a03e9e2c94..668fc72f27 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -221,6 +221,9 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + # allow to connect to virtiofsd + unix (send, receive) type=stream addr=none peer=(label=libvirtd//virtiofsd), + # for gathering information about available host resources /sys/devices/system/cpu/ r, /sys/devices/system/node/ r, diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 4518e8f865..f878398b4b 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -133,4 +133,50 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, } + + # child profile for virtiofsd helper process + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd Cx -> virtiofsd, + profile virtiofsd flags=(attach_disconnected) { + #include <abstractions/base> + #include <abstractions/libvirt-qemu> + + capability sys_admin, + capability sys_resource, + + # init phase + / r, + mount options=(rw, rslave) -> /, + umount /, + mount options=(rw, nosuid, nodev, noexec, relatime) -> @{PROC}, + owner /proc/sys/fs/file-max r, + + # For communication/control from libvirtd + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + signal (receive) set=("term") peer=libvirtd, + owner /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.pid w, + /var/lib/libvirt/qemu/domain-*/fs[0-9]{[0-9],}-fs.sock rw, + /var/lib/libvirt/qemu/ram/*/ram-node[0-9]{[0-9],} rw, + + # For communication with confined and unconfined guests + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + unix (send, receive) type=stream addr=none peer=(label=unconfined), + + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd rmix, + + # Common host paths to share from are allowed by default + # Further paths should be added as local override + # TODO - community to settle on a list of common paths to allow + owner /var/lib/libvirt/virtiofsd/*/ r, + mount options=(rw, bind) -> /var/lib/libvirt/virtiofsd/*/, + pivot_root /var/lib/libvirt/virtiofsd/*/, + + # TODO - after pivot_root the rules for the actual file access by the guest + # through virtiofsd would need to start with / which is too open + /** rw, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.lib.qemu.virtiofsd> + } + } -- 2.28.0