A new apparmor profile derived from the libvirtd profile, with non-LXC
related rules removed. Adopt the libvirt-lxc abstraction to work with
the new profile.
Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
---
src/security/apparmor/libvirt-lxc | 4 +-
src/security/apparmor/meson.build | 1 +
src/security/apparmor/usr.sbin.virtlxcd.in | 89 ++++++++++++++++++++++
3 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc
index 0c8b812743..331f43fbbc 100644
--- a/src/security/apparmor/libvirt-lxc
+++ b/src/security/apparmor/libvirt-lxc
@@ -1,8 +1,10 @@
#include <abstractions/base>
- # Allow receiving signals from libvirtd
+ # Allow receiving signals from libvirtd and virtlxcd
signal (receive) peer=libvirtd,
signal (receive) peer=/usr/sbin/libvirtd,
+ signal (receive) peer=virtlxcd,
+ signal (receive) peer=/usr/sbin/virtlxcd,
umount,
diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
index 56f308bf3a..64db8fdde6 100644
--- a/src/security/apparmor/meson.build
+++ b/src/security/apparmor/meson.build
@@ -1,6 +1,7 @@
apparmor_gen_profiles = [
'usr.lib.libvirt.virt-aa-helper',
'usr.sbin.libvirtd',
+ 'usr.sbin.virtlxcd',
'usr.sbin.virtqemud',
]
diff --git a/src/security/apparmor/usr.sbin.virtlxcd.in b/src/security/apparmor/usr.sbin.virtlxcd.in
new file mode 100644
index 0000000000..73a87ca37a
--- /dev/null
+++ b/src/security/apparmor/usr.sbin.virtlxcd.in
@@ -0,0 +1,89 @@
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+profile virtlxcd @sbindir@/virtlxcd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+ capability sys_rawio,
+ capability bpf,
+ capability perfmon,
+
+ mount options=(rw,rslave) -> /,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+ network packet dgram,
+ network packet raw,
+
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=@{profile_name},
+ ptrace (read,trace) peer=dnsmasq,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
+
+ signal (send) peer=dnsmasq,
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+ signal (send) set=("kill", "term") peer=unconfined,
+
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+ # required if guests run unconfined seclabel type='none' but libvirtd is confined
+ signal (read, send) peer=unconfined,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ @sbindir@/virtlogd pix,
+ @sbindir@/* PUx,
+ /{usr/,}lib/udev/scsi_id PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
+
+ # force the use of virt-aa-helper
+ audit deny /{usr/,}sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ @libexecdir@/* PUxr,
+ @libexecdir@/libvirt_parthelper ix,
+ @libexecdir@/libvirt_iohelper ix,
+ /etc/libvirt/hooks/** rmix,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
--
2.31.1
